- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 5 Jun 2012 02:02:45 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Ian Hickson <ian@hixie.ch>, Rafael Weinstein <rafaelw@google.com>, Webapps WG <public-webapps@w3.org>
On Tue, Jun 5, 2012 at 12:58 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Tue, Jun 5, 2012 at 2:10 AM, Adam Barth <w3c@adambarth.com> wrote: >> Doesn't e4h have the same security problems as e4x? > > If you mean http://code.google.com/p/doctype-mirror/wiki/ArticleE4XSecurity > I guess that would depend on how we define it. By the way, it occurs to me that we can solve these security problems if we restrict the syntax to only working when executing inline or via <script crossorigin src=...>. If the script has appropriate CORS headers, then it doesn't matter if we leak its contents because they're already readable by the document executing the script. Adam
Received on Tuesday, 5 June 2012 09:11:42 UTC