[whatwg] importScripts() no longer checking for cross-origin loads

Ian Hickson ian at hixie.ch
Wed Nov 26 15:40:05 PST 2008

Heads-up: Since nobody could say what security vulnerability we were 
protecting against in making importScripts() block cross-origin loads, 
I've commented out the step that enforces same-origin restrictions for 
importScripts(). The only vulnerabilities I can find are things that can 
already be done with <script> (e.g. slurping cookie-protected JSON).

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list