- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 8 May 2015 07:13:35 +0200
- To: Ahmed Elsobky <mreagle0x@gmail.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, May 7, 2015 at 10:50 PM, Ahmed Elsobky <mreagle0x@gmail.com> wrote: > <script src=http://example.com/user/1001/settings onerror="javascript:x=1"> Do you have a test case showing that <script> fires an error event consistently for 4xx or 5xx status codes? I thought it would always try to parse the result as a script and execute it. > ..Any thoughts? I proposed http://www.w3.org/TR/2012/NOTE-from-origin-20120529/ at some point to mitigate this. There wasn't much interest. -- https://annevankesteren.nl/
Received on Friday, 8 May 2015 05:13:59 UTC