Re: Proposal: Security checks after same-origin revocation with document.domain

On 6/22/12 7:07 PM, Ian Hickson wrote:
> There's lots of other ways to screw it up, e.g. anything on
> foo.example.com that reflects HTML back, even if it checks the origin of
> the submitter, would end up letting B run code in A's origin, letting C do
> whatever it wants with B

I don't follow this.

> Similarly, anything on any other port on any
> other subdomain of example.com can now access A and B.

No, A and C.  Can't access B.

> In general, authors should IMHO assume that if they've set document.domain to let another
> origin's pages access them, they've given access to the entire origin.

They don't assume that right now, and if it actually worked that way 
some things would be pretty broken.

> If that's not acceptable, then they shouldn't use document.domain, but should
> instead use one of the more secure mechanisms like postMessage().

That doesn't help with existing content.

-Boris

Received on Monday, 25 June 2012 19:17:38 UTC