W3C home > Mailing lists > Public > www-html@w3.org > December 2003

Re: Using

From: David Woolley <david@djwhome.demon.co.uk>
Date: Thu, 4 Dec 2003 21:32:47 +0000 (GMT)
Message-Id: <200312042132.hB4LWlO01291@djwhome.demon.co.uk>
To: www-html@w3.org

> If the following:
> document.formPrincipal.PHOTO1.disabled=true;

This is off topic: "how to" question, and document object model issue.

What you seem to be trying to do is to create a "rogue server can read
any file readable to the browser user" security breach.  If you succeed
and publish, you should expect the loophole to be closed in the next
hot fix for the browser.

Providing tainting checks to permit this is well beyond the current state
of AI; it requires analysing the users view of what is on the screen.
Even the current, relatively objective, security checks get done wrong.
Received on Thursday, 4 December 2003 17:26:23 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:06:06 UTC