- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 10 Dec 2008 10:07:57 -0800
- To: "Marcos Caceres" <marcosscaceres@gmail.com>
- Cc: "Jonas Sicking" <jonas@sicking.cc>, "Simon Pieters" <simonp@opera.com>, "Laurens Holst" <lholst@students.cs.uu.nl>, public-webapps <public-webapps@w3.org>, timeless <timeless@gmail.com>
On Wed, Dec 10, 2008 at 2:55 AM, Marcos Caceres <marcosscaceres@gmail.com> wrote: > The content element is defined here: > http://dev.w3.org/2006/waf/widgets/#the-content > > Would certainly appreciate more details about the security threat. Thanks for the pointer. As timeless points out, this doesn't look like a security issue in this context because the content can be included only from within the widget. In other settings, you have to be careful about sites that let users upload content. For example, many sites let users upload images. If you take an HTTP response from one of these sites and override its Content-Type, you might be tricked into running the attacker's HTML in the honest site's security context. Adam
Received on Wednesday, 10 December 2008 18:08:38 UTC