- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 5 Jun 2012 20:24:42 +0000 (UTC)
- To: Adam Barth <w3c@adambarth.com>
- cc: Rafael Weinstein <rafaelw@google.com>, Webapps WG <public-webapps@w3.org>
Received on Tuesday, 5 June 2012 20:25:11 UTC
On Mon, 4 Jun 2012, Adam Barth wrote: > > > > http://www.hixie.ch/specs/e4h/strawman > > > > Who wants to be first to implement it? > > Doesn't e4h have the same security problems as e4x? As written it did, yes (specifically, if you can inject content into an XML file you can cause it to run JS under your control in your origin with content from the other origin). However, as Anne and you have said, it's easy to fix, either by using an XML-incompatible syntax or using CORS to disable it. Since we have to disable it in Workers anyway, I'd go with disabling it when there's no CORS. Strawman has been updated accordingly. On Tue, 5 Jun 2012, Anne van Kesteren wrote: > > A (bigger?) problem with E4H/H4E is that TC39 does not like it: > http://lists.w3.org/Archives/Public/public-script-coord/2011OctDec/thread.html#msg33 What matters is what implementors want to do. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 5 June 2012 20:25:11 UTC