- From: Steingruebl, Andy <asteingruebl@paypal-inc.com>
- Date: Thu, 20 Jan 2011 16:59:17 -0700
- To: Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>
- CC: Adam Barth <w3c@adambarth.com>, "public-web-security@w3.org" <public-web-security@w3.org>, Sid Stamm <sid@mozilla.com>, Lucas Adamski <ladamski@mozilla.com>
> -----Original Message----- > From: public-web-security-request@w3.org [mailto:public-web-security- > request@w3.org] On Behalf Of Michal Zalewski > > Specifically, consider that within any medium-complexity domain > (mozilla.com, google.com, facebook.com), you can almost certainly discover > a location that returns HTML-escaped attacker-supplied text in a context that > would parse as valid JavaScript. This is easier than expected particularly in > browsers that support E4X - such as Firefox. > If I have a 404 HTML page saying: Not to nitpick on this bug too much, but regardless of the underlying parsing issue, shouldn't the browser refuse to load this resource when it gets returned with a 404 error code? At least we'd exclude the one corner case then, right? - Andy
Received on Monday, 24 January 2011 17:58:24 UTC