Re: HTML imports: new XSS hole?

On Tue, Jun 10, 2014 at 10:36 AM, Frederik Braun <fbraun@mozilla.com> wrote:
> Were you saying <script import=url></script> or <script src=url
> import></script>?

The former. The latter is reserved for loading and executing scripts.


> I, by the way, wholeheartedly agree that <link> tags become more
> dangerous through HTML imports and that they are somehow breaking the
> dogma of "security by no surprises" :)


-- 
http://annevankesteren.nl/

Received on Tuesday, 10 June 2014 08:48:47 UTC