[Bug 21958] [Custom]: Should element registration be associated with a browsing context, not document? from bugzilla@jessica.w3.org on 2013-06-19 (public-webapps-bugzilla@w3.org from June 2013)

From: <bugzilla@jessica.w3.org>
Date: Wed, 19 Jun 2013 17:22:35 +0000
To: public-webapps-bugzilla@w3.org
Message-ID: <bug-21958-2532-lvQD0G3EuQ@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=21958

--- Comment #17 from Dimitri Glazkov <dglazkov@chromium.org> ---
(In reply to comment #16)

> Adam would point out that there could be code in the wild using DOMParser or
> document.implementation.createHTMLDocument to parse untrusted content, or
> Cross-Origin XHR to retrieve documents, and that code assumes those
> documents don't activate anything.
> 
> If you make this change, the custom elements defined by the page can be
> activated by that untrusted content. That may not be a good idea.

This is interesting. I guess there are vectors of attack that could be thought
up that way. But... if the attacker can register an element, isn't the battle
already over?

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Wednesday, 19 June 2013 17:22:37 UTC