W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: HTTPbis and the Same Origin Policy

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 03 Dec 2009 13:35:52 -0800
Message-ID: <4B182F38.2020206@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: Tyler Close <tyler.close@gmail.com>, Daniel Stenberg <daniel@haxx.se>, Joe Gregorio <joe@bitworking.org>, "Manger, James H" <James.H.Manger@team.telstra.com>, public-web-security@w3.org
On 12/3/09 1:26 PM, Adam Barth wrote:
> Imagine frame A is from foo.example.com and frame B is from
> bar.example.com.  Now, both set their document.domain to
> "example.com".  Once they do this, they can script each other, so
> frame A injects a script tag into frame B.  When that script runs, it
> can make a PUT request to bar.example.com with XMLHttpRequest.

Ah right. I got "example.com" stuck in my head and thought you were
PUTing to that.
Received on Thursday, 3 December 2009 21:36:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT