W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: HTML imports: new XSS hole?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 10 Jun 2014 10:48:20 +0200
Message-ID: <CADnb78ijSFebpJvgxmbENN1tQKXfXurwXUUJNUoSvq3jAm=Rvw@mail.gmail.com>
To: Frederik Braun <fbraun@mozilla.com>
Cc: WebApps WG <public-webapps@w3.org>
On Tue, Jun 10, 2014 at 10:36 AM, Frederik Braun <fbraun@mozilla.com> wrote:
> Were you saying <script import=url></script> or <script src=url
> import></script>?

The former. The latter is reserved for loading and executing scripts.


> I, by the way, wholeheartedly agree that <link> tags become more
> dangerous through HTML imports and that they are somehow breaking the
> dogma of "security by no surprises" :)


-- 
http://annevankesteren.nl/
Received on Tuesday, 10 June 2014 08:48:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:25 UTC