Re: HTML imports: new XSS hole? from Hajime Morrita on 2014-06-03 (public-webapps@w3.org from April to June 2014)

From: Hajime Morrita <morrita@google.com>
Date: Tue, 3 Jun 2014 09:48:34 -0700
To: James M Snell <jasnell@gmail.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Jonas Sicking <jonas@sicking.cc>, WebApps WG <public-webapps@w3.org>
Message-ID: <CALzNm5pQDYbqxYX_H7yisSvG376XZXQS14FDOuPAYRwKMZH32w@mail.gmail.com>

A clarification to make sure people in same page:

On Mon, Jun 2, 2014 at 5:54 AM, James M Snell <jasnell@gmail.com> wrote:

> So long as they're handled with the same policy and restrictions as the
> script tag, it shouldn't be any worse.
>
HTML Imports are a bit more strict. They see CORS header and decline if
there is none for cross origin imports.
Also, requests for imports don't send any credentials to other origins.



> On Jun 2, 2014 2:35 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>
>> How big of a problem is it that we're making <link> as dangerous as
>> <script>? HTML imports can point to any origin which then will be able
>> to execute scripts with the authority of same-origin.
>>
>>
>> --
>> http://annevankesteren.nl/
>>
>>


-- 
morrita

Received on Tuesday, 3 June 2014 16:49:01 UTC