W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: HTML imports: new XSS hole?

From: Simon Pieters <simonp@opera.com>
Date: Tue, 03 Jun 2014 08:46:10 +0200
To: "WebApps WG" <public-webapps@w3.org>, "Anne van Kesteren" <annevk@annevk.nl>
Cc: "Jonas Sicking" <jonas@sicking.cc>
Message-ID: <op.xgu828ruidj3kv@simons-mbp>
On Mon, 02 Jun 2014 11:32:45 +0200, Anne van Kesteren <annevk@annevk.nl>  

> How big of a problem is it that we're making <link> as dangerous as
> <script>? HTML imports can point to any origin which then will be able
> to execute scripts with the authority of same-origin.

I still think it is a problem.


Simon Pieters
Opera Software
Received on Tuesday, 3 June 2014 06:46:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC