On Wed, Oct 15, 2014 at 5:59 PM, Domenic Denicola < domenic@domenicdenicola.com> wrote: > For the XSS attacker, couldn't they just use > `theInput.removeAttribute("writeonly"); alert(theInput.value);`? > > Or is this some kind of new "un-removable attribute"? > The strawman suggests setting a flag on the element, and doesn't suggest a way of unsetting that flag. This is conceptually similar to iframe@sandbox's effect on the document loaded into the frame. -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)Received on Wednesday, 15 October 2014 16:42:15 UTC
This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC