W3C home > Mailing lists > Public > public-script-coord@w3.org > April to June 2012

Re: Proposal: Security checks after same-origin revocation with document.domain

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 25 Jun 2012 15:17:05 -0400
Message-ID: <4FE8B931.3000303@mit.edu>
To: Ian Hickson <ian@hixie.ch>
CC: Bobby Holley <bobbyholley@gmail.com>, public-script-coord@w3.org, w3c@adambarth.com, Johnny Stenback <jst@mozilla.com>, Blake Kaplan <mrbkap@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
On 6/22/12 7:07 PM, Ian Hickson wrote:
> There's lots of other ways to screw it up, e.g. anything on
> foo.example.com that reflects HTML back, even if it checks the origin of
> the submitter, would end up letting B run code in A's origin, letting C do
> whatever it wants with B

I don't follow this.

> Similarly, anything on any other port on any
> other subdomain of example.com can now access A and B.

No, A and C.  Can't access B.

> In general, authors should IMHO assume that if they've set document.domain to let another
> origin's pages access them, they've given access to the entire origin.

They don't assume that right now, and if it actually worked that way 
some things would be pretty broken.

> If that's not acceptable, then they shouldn't use document.domain, but should
> instead use one of the more secure mechanisms like postMessage().

That doesn't help with existing content.

-Boris
Received on Monday, 25 June 2012 19:17:38 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:06 UTC