W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2008

[whatwg] importScripts() no longer checking for cross-origin loads

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 26 Nov 2008 23:40:05 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0811262333120.17401@hixie.dreamhostps.com>

Heads-up: Since nobody could say what security vulnerability we were 
protecting against in making importScripts() block cross-origin loads, 
I've commented out the step that enforces same-origin restrictions for 
importScripts(). The only vulnerabilities I can find are things that can 
already be done with <script> (e.g. slurping cookie-protected JSON).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 26 November 2008 15:40:05 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:07 UTC