- From: Ola P. Kleiven <olak@opera.com>
- Date: Sun, 18 Oct 2009 14:40:23 +0200
On Sun, 18 Oct 2009 14:21:56 +0200, Ben Laurie <benl at google.com> wrote: > On Sun, Oct 18, 2009 at 5:37 AM, Ian Hickson <ian at hixie.ch> wrote: >> On Fri, 16 Oct 2009, Ben Laurie wrote: >>> > On Thu, 6 Aug 2009, Andrew Oakley wrote: >>> >> >>> >> - Should the type attribute take precedence over the Content-Type >>> >> header? >>> > >>> > No, I believe what the spec says here is the preferred behaviour. >>> > Unless this is incompatible with legacy content, we should try to >>> move >>> > towards this behaviour. >>> >>> I realise this is only one of dozens of ways that HTML is unfriendly to >>> security, but, well, this seems like a bad idea - if the page thinks it >>> is embedding, say, some flash, it seems like a pretty bad idea to allow >>> the (possibly untrusted) site providing the "flash" to run whatever it >>> wants in its place. >> >> If the site is untrusted, yet you are letting it run flash, then you've >> lost already. Flash can inject arbitrary JS into your page. > > Perhaps I am failing to understand, but if I embed anything from an > untrusted site, then it can choose what type it is - so how would I > prevent it running Flash? Running Flash and allowing the same Flash to script your page are two different things. Flash needs allowscriptaccess="always" to script if it is loaded from a different domain. This may not be true for all plug-ins though. -- Ola P. Kleiven, Core Compatibility, Opera Software
Received on Sunday, 18 October 2009 05:40:23 UTC