W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

webappsec-ISSUE-15 (SRCDOC, BLOB, ETC): How to handle srcdoc, blob:, di: and ways of directly creating content

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 03 Jul 2012 21:43:15 +0000
Message-Id: <E1SmAsN-0008Fz-MX@nelson.w3.org>
To: public-webappsec@w3.org
webappsec-ISSUE-15 (SRCDOC, BLOB, ETC): How to handle srcdoc, blob:, di: and ways of directly creating content

http://www.w3.org/2011/webappsec/track/issues/15

Raised by: Brad Hill
On product: 

http://lists.w3.org/Archives/Public/public-whatwg-archive/2012May/0100.html

How to handle "inline" content either by attribute or URI schemes that specify content or origin-ambigious pointers to content needs to be documented.  This may provide a way for injected content to add unauthorized content if such content does not inherit the parent's CSP policies, for example.
Received on Tuesday, 3 July 2012 21:43:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2012 21:43:17 GMT