- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 16 Oct 2009 17:48:30 -0400
On 10/16/09 4:12 PM, Ben Laurie wrote: > I realise this is only one of dozens of ways that HTML is unfriendly > to security, but, well, this seems like a bad idea - if the page > thinks it is embedding, say, some flash, it seems like a pretty bad > idea to allow the (possibly untrusted) site providing the "flash" to > run whatever it wants in its place. This cuts both ways. If a site allows me to upload images and I upload an HTML file with some script in it and tell it it's a GIF (e.g. via the name) an then put an <object type="text/html" data="http://this.other.site/my.gif"> on my site... then I just injected script into a different domain if we let @type override the server-provided header. This is, imo, a much bigger problem than that of people embedding content from an untrusted site and getting content X instead of content Y, especially because content X can't actually access the page that contains it, right? -Boris
Received on Friday, 16 October 2009 14:48:30 UTC