Re: [HTML imports]: Imports and Content Security Policy

On 03.02.2014 21:58, Hajime Morrita wrote:
> Parser-made script means the <script> tags and its contents that are
> written in HTML bytestream, not given by DOM mutation calls from
> scripts.  As HTML Imports doesn't allow document.write(), it seems safe
> to assume that these scripts are statically given by the author, not an
> attacker.
> 

I don't see how this mitigates XSS concerns. If we allow inline script
there's no way to tell if the imported document has intended or injected
inline scripts.

Imagine an import that includes something like
"import.php?userName=<script>alert(1)</script>".

Received on Tuesday, 4 February 2014 08:23:05 UTC