- From: Mike Samuel <notifications@github.com>
- Date: Wed, 01 May 2019 08:48:48 -0700
- To: w3c/webcomponents <webcomponents@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 1 May 2019 15:49:10 UTC
@Lonniebiz re > If the javascript file is directly navigated to (and therefore not clicked on from a "view-source:https" page), my idea would be to scan the file for the "createHTMLDocument" string. I would oppose anything that would cause Content-type:text/javascript served by existing origins to run code within that origin. Recasting a widely used inactive content-type as an active content-type will introduce unnecessary vulnerabilities for file hosting services and CDNs that are careful about what they attach HTML, XHTML, and SVG content-types to but are less careful about other widely used content-types. > However, personally, if the javascript file is navigated to directly, I'm ok with the browser just running the script; There is a long history of vulnerabilities that involve socially engineering users into going to a URL via ads, URL shortneners, open redirectors, and `<a href="//cdn.org/people-dont-consistently-read-urls.js">Cute kittens</a>`. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webcomponents/issues/807#issuecomment-488321246
Received on Wednesday, 1 May 2019 15:49:10 UTC