On Tue, Jun 5, 2012 at 11:02 AM, Adam Barth <w...@adambarth.com> wrote: >> On Tue, Jun 5, 2012 at 2:10 AM, Adam Barth <w...@adambarth.com> wrote: >> If you mean http://code.google.com/p/doctype-mirror/wiki/ArticleE4XSecurity >> I guess that would depend on how we define it. > > By the way, it occurs to me that we can solve these security problems > if we restrict the syntax to only working when executing inline or via > <script crossorigin src=...>. If the script has appropriate CORS > headers, then it doesn't matter if we leak its contents because > they're already readable by the document executing the script.
It would also have to be disabled for workers until we have DOM access there... -- Anne — Opera Software http://annevankesteren.nl/ http://www.opera.com/