Re: HTML imports: new XSS hole? from James M Snell on 2014-06-02 (public-webapps@w3.org from April to June 2014)

From: James M Snell <jasnell@gmail.com>
Date: Mon, 2 Jun 2014 06:54:14 -0700
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: WebApps WG <public-webapps@w3.org>
Message-ID: <CABP7Rbc1=SfA6UushZRCLi4_tFfxanzeUnb4sWLwOwT-eNVfFw@mail.gmail.com>

Im not saying it's perfect. Not by any stretch. I'm saying it shouldn't be
worse. Any impl that supports the mechanism will need to be aware of the
risk and content filters will need to evolve. Perhaps an additional
strongly worded warning in the spec would be helpful.
On Jun 2, 2014 6:43 AM, "Boris Zbarsky" <bzbarsky@mit.edu> wrote:

> On 6/2/14, 9:22 AM, James M Snell wrote:
>
>> Yes, that's true. Content filters are likely to miss the links
>> themselves. Hopefully, the imported documents themselves get filtered
>>
>
> By what, exactly?  I mean, CSP will apply to them, but not website content
> filters...
>
>  One assumption we can possibly make is that
>> any implementation that knows how to follow import links ought to know
>> that they need to be filtered.
>>
>
> Sure, but that assumes the filtering we're talking about is being done by
> the UA to start with.
>
> -Boris
>

Received on Monday, 2 June 2014 13:54:43 UTC