- From: Ian Hickson <ian@hixie.ch>
- Date: Sat, 22 Jul 2006 04:32:07 +0000 (UTC)
- To: www-svg@w3.org
The Connection interface (A.7.3) is impossible to implement without exposing the UA to security vulnerabilities. This is the case even if one dramatically limits the possible actions one could do with this API, for example limiting the host to the same as the content's host, and the port to the same as the content's port, would still allow for XSS attacks. Please either make support of this API optional, clearly marking it as being inappropriate for use on the Web, or, redesign it such that it does not expose UA vendors to security flaws by design. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Saturday, 22 July 2006 04:32:19 UTC