W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

HTML imports: new XSS hole?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 2 Jun 2014 11:32:45 +0200
Message-ID: <CADnb78h7TMmjdGupu3COOv6ccxm6AK-1=Y-w-pYOUnVChXX0XA@mail.gmail.com>
To: WebApps WG <public-webapps@w3.org>
Cc: Jonas Sicking <jonas@sicking.cc>
How big of a problem is it that we're making <link> as dangerous as
<script>? HTML imports can point to any origin which then will be able
to execute scripts with the authority of same-origin.

Received on Monday, 2 June 2014 09:33:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC