W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: What is the same-origin policy for (was Re: The Origin header)

From: Eduardo Vela <sirdarckcat@gmail.com>
Date: Mon, 7 Dec 2009 13:03:13 +0800
Message-ID: <8ba534860912062103g1c4643c1w5e8bba659f14e307@mail.gmail.com>
To: public-web-security@w3.org
Hi!

I am confused about CORS... CORS is for actually "dropping SOP" on certain
conditions? or just a XHR thingy..

I mean, this means that if:

https://www.example.net/

completely trusts http://www.example.com/ then http://www.example.com/ will
be able to access the DOM of a frame on https://www.example.net/?

Isn't this dangerous?

If for example..

www.bankofamerica.com trusts http://www.google.com/ (maybe because of some
API or whatever..) and http://www.google.com/ trusts http://www.youtube.com/and
http://www.youtube.com/ trusts http://help.youtube.com/ and then I find a
XSS on help.youtube.com, wouldn't I be capable of chaining this trust
relationships and XSS bankofamerica?

I think that's not what CORS was meant to, but I'm confused since
http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0931/draft.html

Says:
This specification defines an HTTP response header that allows a resource to
opt-out of SOP protection for a given HTTP response.

So this only applies for XHR? The abstract seems to say that:
http://www.w3.org/Security/wiki/CORS but it's not very clear for me..
Sorry.. maybe I'm slow hehe can someone tell me if this is only for XHR or
applies to all SOP?

Thanks!

Greetings!!
Received on Monday, 7 December 2009 05:04:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT