W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2014

Re: [HTML imports]: Imports and Content Security Policy

From: Frederik Braun <fbraun@mozilla.com>
Date: Tue, 04 Feb 2014 09:22:34 +0100
Message-ID: <52F0A34A.1030902@mozilla.com>
To: Hajime Morrita <morrita@google.com>
CC: Gabor Krizsanits <gkrizsanits@mozilla.com>, Nick Krempel <ndkrempel@google.com>, Scott Miles <sjmiles@google.com>, public-webapps <public-webapps@w3.org>
On 03.02.2014 21:58, Hajime Morrita wrote:
> Parser-made script means the <script> tags and its contents that are
> written in HTML bytestream, not given by DOM mutation calls from
> scripts.  As HTML Imports doesn't allow document.write(), it seems safe
> to assume that these scripts are statically given by the author, not an
> attacker.
> 

I don't see how this mitigates XSS concerns. If we allow inline script
there's no way to tell if the imported document has intended or injected
inline scripts.

Imagine an import that includes something like
"import.php?userName=<script>alert(1)</script>".
Received on Tuesday, 4 February 2014 08:23:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:21 UTC