W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

What is the same-origin policy for (was Re: The Origin header)

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 4 Dec 2009 08:13:38 -0800
Message-ID: <7789133a0912040813q7e9b72f0o1e304ebc63778a1f@mail.gmail.com>
To: Mary Ellen Zurko <mzurko@us.ibm.com>
Cc: "Maciej Stachowiak <mjs" <mjs@apple.com>, "public-web-security@w3.org" <public-web-security@w3.org>
On Fri, Dec 4, 2009 at 7:36 AM, Mary Ellen Zurko <mzurko@us.ibm.com> wrote:
> Not to be a total pedant, but since this is an issue near and dear to my
> heart...
>
> same-origin is about mitigating XSS, not preventing it, right? Since in web
> apps that allow users to collaborate with content that might include
> (D)HTML, same-origin is of no help at all. right?

The same-origin policy is somewhat of a "catch-all" phrase the refers
to the security limitations we impose on web content to let users
visit untrusted web sites securely.  Among other things, the
same-origin policy prevents web sites from writing arbitrary files to
your hard drive and prevents malicious web sites from disrupting the
confidentiality or integrity of your sessions with honest web sites.

It's possible one could imagine inventing other terms to denote
various pieces of this broad landscape, but there's already more terms
in web security that we need.  :)

Adam
Received on Friday, 4 December 2009 16:14:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT