W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2012

Re: Proposal: Document.parse() [AKA: Implied Context Parsing]

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 5 Jun 2012 20:24:42 +0000 (UTC)
To: Adam Barth <w3c@adambarth.com>
cc: Rafael Weinstein <rafaelw@google.com>, Webapps WG <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.64.1206051951351.15120@ps20323.dreamhostps.com>
On Mon, 4 Jun 2012, Adam Barth wrote:
> >
> >   http://www.hixie.ch/specs/e4h/strawman
> >
> > Who wants to be first to implement it?
> 
> Doesn't e4h have the same security problems as e4x?

As written it did, yes (specifically, if you can inject content into an 
XML file you can cause it to run JS under your control in your origin with 
content from the other origin). However, as Anne and you have said, it's 
easy to fix, either by using an XML-incompatible syntax or using CORS to 
disable it. Since we have to disable it in Workers anyway, I'd go with 
disabling it when there's no CORS. Strawman has been updated accordingly.


On Tue, 5 Jun 2012, Anne van Kesteren wrote:
> 
> A (bigger?) problem with E4H/H4E is that TC39 does not like it:
> http://lists.w3.org/Archives/Public/public-script-coord/2011OctDec/thread.html#msg33

What matters is what implementors want to do.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 5 June 2012 20:25:11 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:52 GMT