On Mon, 4 Jun 2012, Adam Barth wrote: > > > > http://www.hixie.ch/specs/e4h/strawman > > > > Who wants to be first to implement it? > > Doesn't e4h have the same security problems as e4x? As written it did, yes (specifically, if you can inject content into an XML file you can cause it to run JS under your control in your origin with content from the other origin). However, as Anne and you have said, it's easy to fix, either by using an XML-incompatible syntax or using CORS to disable it. Since we have to disable it in Workers anyway, I'd go with disabling it when there's no CORS. Strawman has been updated accordingly. On Tue, 5 Jun 2012, Anne van Kesteren wrote: > > A (bigger?) problem with E4H/H4E is that TC39 does not like it: > http://lists.w3.org/Archives/Public/public-script-coord/2011OctDec/thread.html#msg33 What matters is what implementors want to do. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'Received on Tuesday, 5 June 2012 20:25:11 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:34 UTC