W3C home > Mailing lists > Public > public-web-security@w3.org > May 2012

Re: same-origin assertions in the DNS (Fwd: [apps-discuss] draft-sullivan-domain-origin-assert-00)

From: Henrik Nordström <henrik@henriknordstrom.net>
Date: Thu, 10 May 2012 07:17:40 +0200
Message-ID: <1336627060.7026.0.camel@home.hno.se>
To: Maciej Stachowiak <mjs@apple.com>
Cc: Peter Saint-Andre <stpeter@stpeter.im>, Thomas Roessler <tlr@w3.org>, public-web-security <public-web-security@w3.org>, Andrew Sullivan <ajs@anvilwalrusden.com>
ons 2012-05-09 klockan 22:10 -0700 skrev Maciej Stachowiak:

> Treating separate domains as same-origin based on DNS records seems
> extremely dangerous, with little counter-balancing benefit (it would
> not actually be usable until implemented in a large majority of
> browsers, and there's safer ways to communicate between different
> origins). In addition to the obvious XSS dangers, consider also how
> this feature might combine with DNS rebinding attacks.

Further, the user-agent may be using proxies, not using or even having
access to DNS.

Regards
Henrik
Received on Thursday, 10 May 2012 05:18:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 10 May 2012 05:18:33 GMT