On Sun, May 18, 2008 at 10:50 AM, Steven Mascaro <[EMAIL PROTECTED]> wrote: > For example, suppose that it were possible to retrieve the text of any > <script src="..."></script> element using '.textContent' from > javascript, regardless of origin. You'll agree that this is > unthinkable today. But I assume you'll also agree that there is no > security problem in doing this if no cookies (or other private data) > are sent in the initial request to retrieve the script page?
I wouldn't make that assumption, and I doubt that Brendan would agree. http://publicsite.com/lolhax.html containing <script src="http://intranet/internallyPublicResource?format=json";></script>, for example. Mike _______________________________________________ Es4-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es4-discuss
