W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: What is the same-origin policy for (was Re: The Origin header)

From: Devdatta <dev.akhawe@gmail.com>
Date: Sun, 6 Dec 2009 21:09:39 -0800
Message-ID: <ecf35a1b0912062109q7f11fa06o1381adc8852c9ab2@mail.gmail.com>
To: sird@rckc.at
Cc: public-web-security@w3.org
My reading of the CORS spec tells me it is just XHR (basically the XHR
object can now do cross origin requests and read the response under
specific conditions). I don't think it removes the same origin
scripting restrictions that you are concerned about.

Cheers
Devdatta

2009/12/6 Eduardo Vela <sirdarckcat@gmail.com>:
> Hi!
>
> I am confused about CORS... CORS is for actually "dropping SOP" on certain
> conditions? or just a XHR thingy..
>
> I mean, this means that if:
>
> https://www.example.net/
>
> completely trusts http://www.example.com/ then http://www.example.com/ will
> be able to access the DOM of a frame on https://www.example.net/?
>
> Isn't this dangerous?
>
> If for example..
>
> www.bankofamerica.com trusts http://www.google.com/ (maybe because of some
> API or whatever..) and http://www.google.com/ trusts http://www.youtube.com/
> and http://www.youtube.com/ trusts http://help.youtube.com/ and then I find
> a XSS on help.youtube.com, wouldn't I be capable of chaining this trust
> relationships and XSS bankofamerica?
>
> I think that's not what CORS was meant to, but I'm confused since
> http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0931/draft.html
>
> Says:
> This specification defines an HTTP response header that allows a resource to
> opt-out of SOP protection for a given HTTP response.
>
> So this only applies for XHR? The abstract seems to say that:
> http://www.w3.org/Security/wiki/CORS but it's not very clear for me..
> Sorry.. maybe I'm slow hehe can someone tell me if this is only for XHR or
> applies to all SOP?
>
> Thanks!
>
> Greetings!!
>
Received on Monday, 7 December 2009 05:10:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT