W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: CSP XML Data with tokens

From: <sird@rckc.at>
Date: Mon, 31 Jan 2011 11:07:43 -0600
Message-ID: <AANLkTimWQyvv82ERCjQLaMDt-WYSEAGeuhLRtzKKvzet@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Michal Zalewski <lcamtuf@coredump.cx>, Giorgio Maone <g.maone@informaction.com>, Adam Barth <w3c@adambarth.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Brandon Sterne <bsterne@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>

Yeah, that was one of the suggestions.. But people considered it
unsafe, because you could just close the </iframe>. To make it harder
to make this type of mistakes.. they made it inside an attribute.

-- Eduardo

On Mon, Jan 31, 2011 at 2:19 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> Ok well so the daft thing with seamless iframes in HTML attributes, why not
> use the node value? Since this isn't rendered on older browsers and you
> don't need to use entities to render HTML.
> <iframe>
> <![CDATA[182kDJsw82
> 182kDJsw82]]>
> </iframe>
> Then it works in XML too, you'd just have to watch out for closing cdata and
> iframe
Received on Monday, 31 January 2011 17:08:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:25 UTC