ES4 Security
Mike Shaver
mike.shaver at gmail.com
Mon May 19 06:54:45 PDT 2008
On Sun, May 18, 2008 at 10:50 AM, Steven Mascaro <subs at voracity.org> wrote:
> For example, suppose that it were possible to retrieve the text of any
> <script src="..."></script> element using '.textContent' from
> javascript, regardless of origin. You'll agree that this is
> unthinkable today. But I assume you'll also agree that there is no
> security problem in doing this if no cookies (or other private data)
> are sent in the initial request to retrieve the script page?
I wouldn't make that assumption, and I doubt that Brendan would agree.
http://publicsite.com/lolhax.html containing <script
src="http://intranet/internallyPublicResource?format=json"></script>,
for example.
Mike
More information about the Es4-discuss
mailing list