- From: Frederik Braun <fbraun@mozilla.com>
- Date: Tue, 04 Feb 2014 09:22:34 +0100
- To: Hajime Morrita <morrita@google.com>
- CC: Gabor Krizsanits <gkrizsanits@mozilla.com>, Nick Krempel <ndkrempel@google.com>, Scott Miles <sjmiles@google.com>, public-webapps <public-webapps@w3.org>
On 03.02.2014 21:58, Hajime Morrita wrote: > Parser-made script means the <script> tags and its contents that are > written in HTML bytestream, not given by DOM mutation calls from > scripts. As HTML Imports doesn't allow document.write(), it seems safe > to assume that these scripts are statically given by the author, not an > attacker. > I don't see how this mitigates XSS concerns. If we allow inline script there's no way to tell if the imported document has intended or injected inline scripts. Imagine an import that includes something like "import.php?userName=<script>alert(1)</script>".
Received on Tuesday, 4 February 2014 08:23:05 UTC