patch: stub implementation of XMLHttpRequest
Dirk Mueller
mueller at kde.org
Wed Feb 25 13:09:22 CET 2004
On Wednesday 25 February 2004 06:14, Maciej Stachowiak wrote:
> > So can I interpret from that that you changed the XSS check
> > implementation?
> No, and I don't think I'm going to. You should not be able to access
> documents from another server with XMLHttpRequest, IMO.
Sigh. I'm not talking about making the XMLHttpRequest check _less_ strict, I'm
talking about making the general XSS check *more* paranoid.
Testing seems to indicate that e.g. Mozilla has a better XSS testing
infrastructure in place. For example they seem to block iframe accesses by
default (?), and port differences do matter for the XSS check, unless the
domain was modified. It seems they hide a superior test behind the (rather
broken) domain-check.
> I don't think other implementations do any checking of the headers or
> body.
Big surprise: browsers do have security bugs. No reason to have those bugs in
our implementation though.
Dirk
More information about the Khtml-devel
mailing list