W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: HTML imports: new XSS hole?

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 02 Jun 2014 09:43:32 -0400
Message-ID: <538C7F84.9030004@mit.edu>
To: James M Snell <jasnell@gmail.com>
CC: WebApps WG <public-webapps@w3.org>
On 6/2/14, 9:22 AM, James M Snell wrote:
> Yes, that's true. Content filters are likely to miss the links
> themselves. Hopefully, the imported documents themselves get filtered

By what, exactly?  I mean, CSP will apply to them, but not website 
content filters...

> One assumption we can possibly make is that
> any implementation that knows how to follow import links ought to know
> that they need to be filtered.

Sure, but that assumes the filtering we're talking about is being done 
by the UA to start with.

-Boris
Received on Monday, 2 June 2014 13:44:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC