W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: HTML imports: new XSS hole?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 2 Jun 2014 14:56:46 +0200
Message-ID: <CADnb78j2PojJWcPsu0Z_q7k5O1-jG0HE=Kbx+rRj-Dy7KAvV7w@mail.gmail.com>
To: James M Snell <jasnell@gmail.com>
Cc: Jonas Sicking <jonas@sicking.cc>, WebApps WG <public-webapps@w3.org>
On Mon, Jun 2, 2014 at 2:54 PM, James M Snell <jasnell@gmail.com> wrote:
> So long as they're handled with the same policy and restrictions as the
> script tag, it shouldn't be any worse.

Well, <script> is assumed to be unsafe, <link> is not (at least not to
the same extent).

Received on Monday, 2 June 2014 12:57:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC