- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Sun, 13 Dec 2009 21:06:22 -0800
- To: "sird@rckc.at" <sird@rckc.at>, "public-web-security@w3.org" <public-web-security@w3.org>
On 12/7/09 12:30 AM, sird@rckc.at wrote: > Ian, are you aware that that will provide CSS the power to execute > javascript cross-site? (think on XSS). > > Right now we can't do this on firefox anymore, because they limited it > to same domain, but if this gets implemented then attacker.com > <http://attacker.com> will just send the header so his script will be > loaded. Mozilla isn't going to expand the use of XBL(1) bindings with or without CORS; we'd like to kill remote XBL(1) dead, in fact. The part of the spec you quoted, however, refers to XBL 2.0 which has a different processing model. We will only consider loading cross-origin XBL 2 if scripts in a binding respect the same-origin policy.
Received on Monday, 14 December 2009 05:07:26 UTC