- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 17 Dec 2009 10:40:13 -0800
- To: timeless@gmail.com
- CC: Mike Wilson <mikewse@hotmail.com>, Anne van Kesteren <annevk@opera.com>, www-style@w3.org
On 12/17/09 5:19 AM, timeless wrote: > from memory the other concern people had was the ability for a site to do: > > @import url(https://bank.com/balance.cgi); > > and then interrogate the unknown rules to recover the web page. > > I take it that people have solved this problem and are no longer worried? Gecko throws a security exception on attempts to get the rule list of a stylesheet that's not same-origin with the calling script, to prevent interrogation of things that even happen to look like known rules. Can't speak to what other browsers do. -Boris
Received on Thursday, 17 December 2009 18:41:11 UTC