- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 26 Nov 2008 23:40:05 +0000 (UTC)
Heads-up: Since nobody could say what security vulnerability we were protecting against in making importScripts() block cross-origin loads, I've commented out the step that enforces same-origin restrictions for importScripts(). The only vulnerabilities I can find are things that can already be done with <script> (e.g. slurping cookie-protected JSON). -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 26 November 2008 15:40:05 UTC