[Bug 26898] [imports]: <link rel=import> shouldn't be active when added by innerHTML from bugzilla@jessica.w3.org on 2014-09-24 (public-webapps-bugzilla@w3.org from September 2014)

From: <bugzilla@jessica.w3.org>
Date: Wed, 24 Sep 2014 22:35:34 +0000
To: public-webapps-bugzilla@w3.org
Message-ID: <bug-26898-2532-aj8s1zmmn4@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26898

--- Comment #3 from Jonas Sicking <jonas@sicking.cc> ---
The current limitation was mainly added in order to be compatible with the web.
It was originally not added for any security reasons.

I don't think that blocking <script> in innerHTML is a meaningful
XSS-prevention mechanism. But others might disagree.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Wednesday, 24 September 2014 22:35:35 UTC