[Webkit-unassigned] [Bug 10313] xsl:import and document() don't work in stylesheets loaded via XMLHttpRequest
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 25 13:22:29 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=10313
--- Comment #55 from Adam Barth <abarth at webkit.org> 2010-06-25 13:22:28 PST ---
[1:18pm] ap: abarth: DOMParser.parse("untrusted data") doesn't execute scripts when parsing AFAIK. or does it?
[1:18pm] abarth: frameless documents can't execute scripts
[1:18pm] abarth: the can't find the script controller
[1:18pm] abarth: which is on Frame
[1:18pm] ap: abarth: why is it XSS in that case?
[1:19pm] abarth: ap: because you're giving the document created from the untrusted bytes your security origin
[1:19pm] abarth: ap: in this case, you'll letting them load subresources with your authority
[1:20pm] abarth: ap: which means the attacker can learn information he's not supposed to know
[1:20pm] abarth: ap: and probably exfiltrate that information via other subresource loads
[1:20pm] ap: abarth: assuming the contributor knows about security as much or less as I do, that's probably worth explaining in a bugzilla comment
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list