- From: gaz Heyes <gazheyes@gmail.com>
- Date: Wed, 6 Apr 2011 09:00:54 +0100
- To: Adam Barth <w3c@adambarth.com>
- Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
Received on Wednesday, 6 April 2011 08:01:23 UTC
On 6 April 2011 01:33, Adam Barth <w3c@adambarth.com> wrote: > I guess I don't understand the use case for blocking external style > sheets but not inline style. Why would an author want to do that? > +1 Even if we ignore the XSS threat from style, we don't want an attacker to be able to inject:- <div style="background:url(//banking?transfer=1337&account=12345)"></div>
Received on Wednesday, 6 April 2011 08:01:23 UTC