W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Proposal: Write-only submittable form-associated controls.

From: Mike West <mkwst@google.com>
Date: Wed, 15 Oct 2014 18:41:20 +0200
Message-ID: <CAKXHy=dRLOahDwErRhigckf_NRY7vFLG9bVa1oXfdXX5qSDgkQ@mail.gmail.com>
To: Domenic Denicola <domenic@domenicdenicola.com>
Cc: WHAT Working Group Mailing List <whatwg@whatwg.org>, Jonas Sicking <jonas@sicking.cc>
On Wed, Oct 15, 2014 at 5:59 PM, Domenic Denicola <
domenic@domenicdenicola.com> wrote:

> For the XSS attacker, couldn't they just use
> `theInput.removeAttribute("writeonly"); alert(theInput.value);`?
>
> Or is this some kind of new "un-removable attribute"?
>

The strawman suggests setting a flag on the element, and doesn't suggest a
way of unsetting that flag. This is conceptually similar to iframe@sandbox's
effect on the document loaded into the frame.

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 15 October 2014 16:42:15 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC