- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 03 Jun 2014 12:59:41 -0400
- To: public-webapps@w3.org
On 6/3/14, 12:48 PM, Hajime Morrita wrote: > HTML Imports are a bit more strict. They see CORS header and decline if > there is none for cross origin imports. > Also, requests for imports don't send any credentials to other origins. These two measures prevent attacks on other origins via imports. It does nothing about attacks by the imported script on the page the import is happening into. -Boris
Received on Tuesday, 3 June 2014 17:00:09 UTC