Re: HTML imports: new XSS hole?

On 6/2/14, 9:22 AM, James M Snell wrote:
> Yes, that's true. Content filters are likely to miss the links
> themselves. Hopefully, the imported documents themselves get filtered

By what, exactly?  I mean, CSP will apply to them, but not website 
content filters...

> One assumption we can possibly make is that
> any implementation that knows how to follow import links ought to know
> that they need to be filtered.

Sure, but that assumes the filtering we're talking about is being done 
by the UA to start with.

-Boris

Received on Monday, 2 June 2014 13:44:02 UTC