- From: <bugzilla@jessica.w3.org>
- Date: Wed, 19 Jun 2013 23:59:48 +0000
- To: public-webapps-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=21958 --- Comment #21 from Dominic Cooney <dominicc@chromium.org> --- (In reply to comment #17) > (In reply to comment #16) > > If you make this change, the custom elements defined by the page can be > > activated by that untrusted content. That may not be a good idea. > > This is interesting. I guess there are vectors of attack that could be > thought up that way. But... if the attacker can register an element, isn't > the battle already over? In this case the untrusted content is not registering an element (I assume it could not do that?) but running the script of an element already registered. (In reply to comment #18) > Just to enumerate our choices, while the discussion is still in progress: > > ... Moving the registry to the Window/document environment is right. Now you need to come to terms with not all documents being active documents. Here's a strawman: document.the_funk() This opts the document into Custom Element processing of the calling document environment. Not having the_funk is evident everywhere by the spec's use of CONTEXT. These no-active documents do not have a browsing context. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Wednesday, 19 June 2013 23:59:49 UTC