W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: HTML imports: new XSS hole?

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 02 Jun 2014 09:01:45 -0400
Message-ID: <538C75B9.60507@mit.edu>
To: public-webapps@w3.org
On 6/2/14, 8:54 AM, James M Snell wrote:
> So long as they're handled with the same policy and restrictions as the
> script tag, it shouldn't be any worse.

It's worse for sites that have some sort of filtering on user-provided 
content but don't catch this case right now, no?

-Boris
Received on Monday, 2 June 2014 13:02:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC