W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: HTML imports: new XSS hole?

From: James M Snell <jasnell@gmail.com>
Date: Mon, 2 Jun 2014 06:54:14 -0700
Message-ID: <CABP7Rbc1=SfA6UushZRCLi4_tFfxanzeUnb4sWLwOwT-eNVfFw@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: WebApps WG <public-webapps@w3.org>
Im not saying it's perfect. Not by any stretch. I'm saying it shouldn't be
worse. Any impl that supports the mechanism will need to be aware of the
risk and content filters will need to evolve. Perhaps an additional
strongly worded warning in the spec would be helpful.
On Jun 2, 2014 6:43 AM, "Boris Zbarsky" <bzbarsky@mit.edu> wrote:

> On 6/2/14, 9:22 AM, James M Snell wrote:
>
>> Yes, that's true. Content filters are likely to miss the links
>> themselves. Hopefully, the imported documents themselves get filtered
>>
>
> By what, exactly?  I mean, CSP will apply to them, but not website content
> filters...
>
>  One assumption we can possibly make is that
>> any implementation that knows how to follow import links ought to know
>> that they need to be filtered.
>>
>
> Sure, but that assumes the filtering we're talking about is being done by
> the UA to start with.
>
> -Boris
>
Received on Monday, 2 June 2014 13:54:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC