W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > October 2011

[Bug 14502] Why do we want to taint on style set and not on style use?

From: <bugzilla@jessica.w3.org>
Date: Sat, 29 Oct 2011 01:38:28 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1RJxsS-0005xb-AA@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=14502

--- Comment #11 from Adam Barth <w3c@adambarth.com> 2011-10-29 01:38:27 UTC ---
> If I have a site at
> foo.bar.com and it sets document.domain to bar.com, does that allow it to read
> image data from bar.com?

I hope not!  That would be a security vulnerability.  :)

IMHO, we should just pretend document.domain doesn't exist for all of these
modern security checks.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Saturday, 29 October 2011 01:38:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:02:06 UTC