[whatwg] importScripts() no longer checking for cross-origin loads
Ian Hickson
ian at hixie.ch
Wed Nov 26 15:40:05 PST 2008
Heads-up: Since nobody could say what security vulnerability we were
protecting against in making importScripts() block cross-origin loads,
I've commented out the step that enforces same-origin restrictions for
importScripts(). The only vulnerabilities I can find are things that can
already be done with <script> (e.g. slurping cookie-protected JSON).
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list