Good point. My thinking is that I want somehow make HTML imports more like script than HTML. What we need might be a separate content type than text/html for HTML imports. It will prevent accidental inclusion of non-import HTML that is more likely to have XSS hole. We already has CORS to prevent that kind of thing. But owning different content type will be stronger protection. On Tue, Feb 4, 2014 at 12:22 AM, Frederik Braun <fbraun@mozilla.com> wrote: > On 03.02.2014 21:58, Hajime Morrita wrote: > > Parser-made script means the <script> tags and its contents that are > > written in HTML bytestream, not given by DOM mutation calls from > > scripts. As HTML Imports doesn't allow document.write(), it seems safe > > to assume that these scripts are statically given by the author, not an > > attacker. > > > > I don't see how this mitigates XSS concerns. If we allow inline script > there's no way to tell if the imported document has intended or injected > inline scripts. > > Imagine an import that includes something like > "import.php?userName=<script>alert(1)</script>". > -- morrita
Received on Tuesday, 4 February 2014 22:52:03 UTC