- From: <bugzilla@jessica.w3.org>
- Date: Wed, 05 Oct 2011 19:48:48 +0000
- To: public-html-bugzilla@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=14392
Collin Jackson <w3c@collinjackson.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|This is not an effective |Remove locked same-origin
|way to isolate documents if |policy from HTML5 spec
|they import script via |
|relative URLs or have forms |
|that submit to relative |
|URLs, so it seems dangerous |
|to include in the HTML5 |
|spec. See |
|http://w2spconf.com/2008/pa |
|pers/s2p1.pdf |
--- Comment #1 from Collin Jackson <w3c@collinjackson.com> 2011-10-05 19:48:48 UTC ---
The specific text is:
In addition, if the URL is in fact associated with a Document object that was
created by parsing the resource obtained from fetching URL, and this was done
over a secure connection, then the server's secure certificate may be added to
the origin as additional data.
This "locked same-origin policy" was originally proposed in by Karlof et al in
"Dynamic pharming attacks and locked same-origin policies for web browsers"
(CCS 2007).
However, locked SOP is not an effective way to isolate documents if they import
script via relative URLs or have forms that submit to relative URLs. See
http://w2spconf.com/2008/papers/s2p1.pdf
Because it's so hard to use securely, it seems dangerous to include in the
HTML5 spec.
--
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 5 October 2011 19:48:55 UTC