Quoting Alexey Feldgendler [EMAIL PROTECTED]:
I'm not sure that the answers to these questions are the same for all
modern browsers.
You can speculate forever or just find out.
--
Anne van Kesteren
http://annevankesteren.nl/
Le Fri, 17 Mar 2006 10:53:00 +0200, Anne van Kesteren
[EMAIL PROTECTED] a écrit:
Quoting Alexey Feldgendler [EMAIL PROTECTED]:
I'm not sure that the answers to these questions are the same for all
modern browsers.
You can speculate forever or just find out.
My small test page does some
On 3/16/06, Gervase Markham [EMAIL PROTECTED] wrote:
Hallvord R M Steen wrote:
You are right, if no variables are created one can't see the data by
loading it in a SCRIPT tag. Are you aware of intranets/CMSes that use
this as a security mechanism?
That's not actually right. I'm pretty
Based on the 2006-02-24 version.
1.1.
Mac OS X not MacOS X
2.2.5.
'Should textContent be defined differently for dir= and bdo?
Should we come up with an alternative to textContent that handles
those and other things, like alt=?'
Messing with the Core API seems like a bad idea. Having an
On 3/17/06, Gervase Markham [EMAIL PROTECTED] wrote:
Jim Ley wrote:
Please can you provide more information on how raw JSON is available
from script elements?
Apologies; it was the Array constructor, and I was slightly wrong in the
details. Here is the exploit:
Henri Sivonen wrote:
2.4.5.
To set metadata with meta elements, authors must first specify a
profile that defines metadata names, using the profile attribute.
In my opinion, it would be useful to predefine the traditional names
and Dublin Core.
Predefining the traditional names would be
The JSONRequest does only one thing: It exchanges data between scripts on pages
with JSON servers in the web. It provides this highly valuable service while
introducing no new security vulnerabilities.
A browser within a filewall may have the capability to interact with a server
The cache rules are unworkable, please remove these and use standard
HTTP methods for suggesting the cacheability of a resource, forcing
them to be uncacheable is unworkable w.r.t. to proxy caches and
extremely unwelcome within the browser.
Applications must not cache responses to a POST
On 3/17/06, Douglas Crockford [EMAIL PROTECTED] wrote:
The cache rules are unworkable, please remove these and use standard
HTTP methods for suggesting the cacheability of a resource, forcing
them to be uncacheable is unworkable w.r.t. to proxy caches and
extremely unwelcome within the