Good point.
My thinking is that I want somehow make HTML imports more like script than
HTML. What we need might be a separate content type than text/html for HTML
imports. It will prevent accidental inclusion of non-import HTML that is
more likely to have XSS hole.
We already has CORS to prevent that kind of thing. But owning different
content type will be stronger protection.
On Tue, Feb 4, 2014 at 12:22 AM, Frederik Braun <fbraun@mozilla.com> wrote:
> On 03.02.2014 21:58, Hajime Morrita wrote:
> > Parser-made script means the <script> tags and its contents that are
> > written in HTML bytestream, not given by DOM mutation calls from
> > scripts. As HTML Imports doesn't allow document.write(), it seems safe
> > to assume that these scripts are statically given by the author, not an
> > attacker.
> >
>
> I don't see how this mitigates XSS concerns. If we allow inline script
> there's no way to tell if the imported document has intended or injected
> inline scripts.
>
> Imagine an import that includes something like
> "import.php?userName=<script>alert(1)</script>".
>
--
morrita