- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Mon, 25 Jan 2010 12:39:04 -0500
On Mon, Jan 25, 2010 at 1:29 AM, Adam Barth <whatwg at adambarth.com> wrote: > That depends what information the attacker encodes in the host name. > Recall that we're imaging the attacker gets to run JavaScript within > the sandbox If we're assuming that, then yes, it's probably hopeless. But are we assuming that? The given use-case was webmail -- that would be expected to disable scripts in the sandbox, no? > The point is that stopping exfiltration is a losing battle that we > shouldn't bother to play. Even if scripting is disabled?
Received on Monday, 25 January 2010 09:39:04 UTC