W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: HTML imports: new XSS hole?

From: James M Snell <jasnell@gmail.com>
Date: Mon, 2 Jun 2014 05:54:11 -0700
Message-ID: <CABP7Rbf3Uy8fyYtQaBBFTAWy5wDVdiGpy4_Oo4x5ZwNz3Rkk7g@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Jonas Sicking <jonas@sicking.cc>, WebApps WG <public-webapps@w3.org>
So long as they're handled with the same policy and restrictions as the
script tag, it shouldn't be any worse.
On Jun 2, 2014 2:35 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:

> How big of a problem is it that we're making <link> as dangerous as
> <script>? HTML imports can point to any origin which then will be able
> to execute scripts with the authority of same-origin.
>
>
> --
> http://annevankesteren.nl/
>
>
Received on Monday, 2 June 2014 12:54:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC