Re: [whatwg] behavior Ola P. Kleiven Sun, 18 Oct 2009 05:40:37 -0700 On Sun, 18 Oct 2009 14:21:56 +0200, Ben Laurie <b...@google.com> wrote: On Sun, Oct 18, 2009 at 5:37 AM, Ian Hickson <i...@hixie.ch> wrote: On Fri, 16 Oct 2009, Ben Laurie wrote: > On Thu, 6 Aug 2009, Andrew Oakley wrote: >> >> - Should the type attribute take precedence over the Content-Type >> header? > > No, I believe what the spec says here is the preferred behaviour. > Unless this is incompatible with legacy content, we should try to move > towards this behaviour. I realise this is only one of dozens of ways that HTML is unfriendly to security, but, well, this seems like a bad idea - if the page thinks it is embedding, say, some flash, it seems like a pretty bad idea to allow the (possibly untrusted) site providing the "flash" to run whatever it wants in its place. If the site is untrusted, yet you are letting it run flash, then you've lost already. Flash can inject arbitrary JS into your page. Perhaps I am failing to understand, but if I embed anything from an untrusted site, then it can choose what type it is - so how would I prevent it running Flash? Running Flash and allowing the same Flash to script your page are two different things. Flash needs allowscriptaccess="always" to script if it is loaded from a different domain. This may not be true for all plug-ins though. -- Ola P. Kleiven, Core Compatibility, Opera Software Previous message View by thread View by date Next message Re: [whatwg] <object> behavior Tab Atkins Jr. Re: [whatwg] <object> behavior Michael A. Puls II Re: [whatwg] <object> behavior Michael A. Puls II Re: [whatwg] <object> behavior Ian Hickson Re: [whatwg] <object> behavior Michael A. Puls II Re: [whatwg] <object> behavior Simon Pieters Re: [whatwg] <object> behavior Michael A. Puls II Re: [whatwg] <object> behavior Michael A. Puls II Re: [whatwg] <object> behavior Ian Hickson Re: [whatwg] <object> behavior Ben Laurie Re: [whatwg] <object> behavior Ola P. Kleiven Re: [whatwg] <object> behavior Ian Hickson Re: [whatwg] <object> behavior Ian Hickson Re: [whatwg] <object> behavior Ben Laurie Re: [whatwg] <object> behavior Ian Hickson Re: [whatwg] <object> behavior Simon Pieters Re: [whatwg] <object> behavior Ian Hickson Re: [whatwg] <object> behavior Michael A. Puls II Re: [whatwg] <object> behavior Ian Hickson Re: [whatwg] <object> behavior Michael A. Puls II Re: [whatwg] <object> behavior Ian Hickson Reply via email to Search the site The Mail Archive home whatwg - all messages whatwg - about the list Expand Previous message Next message The Mail Archive home Add your mailing list FAQ Support Privacy op.u1zxhlg8nw228i@id-c0437

[Ola P. Kleiven]

On Sun, 18 Oct 2009 14:21:56 +0200, Ben Laurie <b...@google.com> wrote:
On Sun, Oct 18, 2009 at 5:37 AM, Ian Hickson <i...@hixie.ch> wrote:
On Fri, 16 Oct 2009, Ben Laurie wrote:
> On Thu, 6 Aug 2009, Andrew Oakley wrote:
>>
>> - Should the type attribute take precedence over the Content-Type
>> header?
>
> No, I believe what the spec says here is the preferred behaviour.
> Unless this is incompatible with legacy content, we should try to  
move
> towards this behaviour.

I realise this is only one of dozens of ways that HTML is unfriendly to
security, but, well, this seems like a bad idea - if the page thinks it
is embedding, say, some flash, it seems like a pretty bad idea to allow
the (possibly untrusted) site providing the "flash" to run whatever it
wants in its place.

If the site is untrusted, yet you are letting it run flash, then you've
lost already. Flash can inject arbitrary JS into your page.

Perhaps I am failing to understand, but if I embed anything from an
untrusted site, then it can choose what type it is - so how would I
prevent it running Flash?

Running Flash and allowing the same Flash to script your page are two  
different things. Flash needs allowscriptaccess="always" to script if it  
is loaded from a different domain. This may not be true for all plug-ins  
though.

--
Ola P. Kleiven, Core Compatibility, Opera Software