On Thu, 7 Feb 2008, Close, Tyler J. wrote: > > The current design clearly doesn't provide any such protection since the > _user_'s consent is not required for the third-party site to issue the > cross-domain request. Just because a third-party site wants to delete my > email and has the permission to do so with my consent, doesn't mean it > should be allowed to go ahead and do so without my consent. The current > design never requires the user's consent to wield the user's authority. A victim site that trusts a hostile site is as likely to expose a user to this kind of attack today as it is with Access-Control. Again, I don't see any way to prevent such an attack when the victim site is misconfigured. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'Received on Thursday, 7 February 2008 23:05:47 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 7 February 2008 23:05:48 GMT