- From: Mike Samuel <notifications@github.com>
- Date: Wed, 01 May 2019 09:27:38 -0700
- To: w3c/webcomponents <webcomponents@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 1 May 2019 16:28:00 UTC
@Lonniebiz > `<a href="//cdn.org/people-dont-consistently-read-urls.html">Cute kittens</a>` Yes. Which is why you never upload third-party HTML or SVG alongside your content to your CDN. Many existing services are less careful with other content-types. Making JS active content breaks the security assumptions underlying existing applications, so is a break-the-web level decision. See [OWASP Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload): > ## Attacks on other systems > ... > * Upload .html file containing script - victim experiences Cross-site Scripting (XSS) Note that there is no mention of "JS" or "JavaScript", so this proposal would bypass existing recommendations on safely handling file uploads. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webcomponents/issues/807#issuecomment-488332661
Received on Wednesday, 1 May 2019 16:28:00 UTC