On Wed, Oct 15, 2014 at 8:59 AM, Domenic Denicola <dome...@domenicdenicola.com> wrote: > For the XSS attacker, couldn't they just use > `theInput.removeAttribute("writeonly"); alert(theInput.value);`? > > Or is this some kind of new "un-removable attribute"?
Doesn't matter if it is or not - the attacker can still always just remove the <input> and put a fresh one in. Nothing in-band will work, because the attacker can replace arbitrary amounts of the page if they're loaded as an in-page script. It's gotta be *temporally* isolated - either something out-of-band like a response header, or something that has no effect by the time scripts run, like a <meta> that is only read during initial parsing. ~TJ