W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: The Origin header (was Re: HTTPbis and the Same Origin Policy)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 04 Dec 2009 14:51:17 -0800
Message-ID: <4B199265.9040102@mozilla.com>
To: Mary Ellen Zurko <mzurko@us.ibm.com>
CC: "Maciej Stachowiak <mjs" <mjs@apple.com>, "public-web-security@w3.org" <public-web-security@w3.org>
On 12/4/09 7:36 AM, Mary Ellen Zurko wrote:
>> Same-origin is about preventing Cross-Site Scripting (XSS) attacks. 
> 
> Not to be a total pedant, but since this is an issue near and dear to my
> heart...
> 
> same-origin is about mitigating XSS, not preventing it, right? Since in
> web apps that allow users to collaborate with content that might include
> (D)HTML, same-origin is of no help at all. right?

The same-origin policy has been so effective at preventing direct
scripting across sites that most "XSS" attacks people are familiar with
have been various ways of injecting the code into the victim site
through site flaws, bypassing the browsers' same-origin checks. But
every new client feature has to take the same-origin policy carefully
into account to avoid creating new client-side XSS avenues.
Received on Friday, 4 December 2009 22:52:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT