W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: What is the same-origin policy for (was Re: The Origin header)

From: <sird@rckc.at>
Date: Mon, 7 Dec 2009 16:30:01 +0800
Message-ID: <8ba534860912070030xb7f10b4g4c1d0177472ca412@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: Devdatta <dev.akhawe@gmail.com>, public-web-security@w3.org
Ian, are you aware that that will provide CSS the power to execute
javascript cross-site? (think on XSS).

Right now we can't do this on firefox anymore, because they limited it to
same domain, but if this gets implemented then attacker.com will just send
the header so his script will be loaded.

I thought that was the reason moz bindings were disabled in the first place
=/ because noone wanted CSS to execute JS.

Greetings!!

-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Mon, Dec 7, 2009 at 3:28 PM, Ian Hickson <ian@hixie.ch> wrote:

> On Mon, 7 Dec 2009, sird@rckc.at wrote:
> >
> > a.example.com/mozbind.html
> >
> > or
> >
> > b.example.net/binding.xml
>
> Both. a.example.com/mozbind.html has to reference
> b.example.net/binding.xml, and b.example.net/binding.xml has to opt-in to
> supporting a.example.com.
>
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>
Received on Monday, 7 December 2009 08:30:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT