On 5/3/19 4:06 AM, Frederik Braun wrote:
> In bug 1548773, annevk suggested to unship the `typeMustMatch`attribute
> from <object> elements[1].
>
> No other browser supports this and we have just learned that this
> attribute can be used to leak information about cross-origin resources[2].
>
> While it seems worth removing immediately to me, I'm interested in
> additional feedback.
I ran a search on BigQuery over HTTP Archive data (just for desktop) and
here are the results:
<
https://docs.google.com/spreadsheets/d/1z9-QVOqZtTJ1LcpSfjrW8CdoHHTrAaktiOjr7NJ_mgE/edit#gid=344963178>
I only looked at 10 random items, and nothing seemed alarming -- just
enumeration of attributes, or mapping strings to props, or regular
expressions looking for valid attributes.
(Might be worth someone putting in more than 5 minutes of poking around
though).
--
Mike Taylor
Web Compat, Mozilla