Re: What is the same-origin policy for (was Re: The Origin header) from sird@rckc.at on 2009-12-14 (public-web-security@w3.org from December 2009)

From: <sird@rckc.at>
Date: Mon, 14 Dec 2009 13:08:14 +0800
To: Daniel Veditz <dveditz@mozilla.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <8ba534860912132108o43dba327k5eab279eed793244@mail.gmail.com>

Ok, thank you Daniel! understood :)

-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Mon, Dec 14, 2009 at 1:06 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> On 12/7/09 12:30 AM, sird@rckc.at wrote:
> > Ian, are you aware that that will provide CSS the power to execute
> > javascript cross-site? (think on XSS).
> >
> > Right now we can't do this on firefox anymore, because they limited it
> > to same domain, but if this gets implemented then attacker.com
> > <http://attacker.com> will just send the header so his script will be
> > loaded.
>
> Mozilla isn't going to expand the use of XBL(1) bindings with or without
> CORS; we'd like to kill remote XBL(1) dead, in fact. The part of the
> spec you quoted, however, refers to XBL 2.0 which has a different
> processing model. We will only consider loading cross-origin XBL 2 if
> scripts in a binding respect the same-origin policy.
>

Received on Monday, 14 December 2009 05:09:20 UTC