ES4 Security

Mike Shaver mike.shaver at
Mon May 19 06:54:45 PDT 2008

On Sun, May 18, 2008 at 10:50 AM, Steven Mascaro <subs at> wrote:
> For example, suppose that it were possible to retrieve the text of any
> <script src="..."></script> element using '.textContent' from
> javascript, regardless of origin. You'll agree that this is
> unthinkable today. But I assume you'll also agree that there is no
> security problem in doing this if no cookies (or other private data)
> are sent in the initial request to retrieve the script page?

I wouldn't make that assumption, and I doubt that Brendan would agree. containing <script
for example.


More information about the Es4-discuss mailing list