W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: What is the same-origin policy for (was Re: The Origin header)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Sun, 13 Dec 2009 21:06:22 -0800
Message-ID: <4B25C7CE.6080203@mozilla.com>
To: "sird@rckc.at" <sird@rckc.at>, "public-web-security@w3.org" <public-web-security@w3.org>
On 12/7/09 12:30 AM, sird@rckc.at wrote:
> Ian, are you aware that that will provide CSS the power to execute
> javascript cross-site? (think on XSS).
> 
> Right now we can't do this on firefox anymore, because they limited it
> to same domain, but if this gets implemented then attacker.com
> <http://attacker.com> will just send the header so his script will be
> loaded.

Mozilla isn't going to expand the use of XBL(1) bindings with or without
CORS; we'd like to kill remote XBL(1) dead, in fact. The part of the
spec you quoted, however, refers to XBL 2.0 which has a different
processing model. We will only consider loading cross-origin XBL 2 if
scripts in a binding respect the same-origin policy.
Received on Monday, 14 December 2009 05:07:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT