W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

From: Jonathan Rees <jar@creativecommons.org>
Date: Thu, 11 Jun 2009 07:35:57 -0400
Message-ID: <760bcb2a0906110435g387ab94bwb31c38b4b70babef@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "Mark S. Miller" <erights@google.com>, public-webapps <public-webapps@w3.org>
I think this may be a foolish question, but is the value of Origin:
limited to sites? Couldn't it be an individual web page (URI)? Or a
wildcard? Is there some principled reason for such a limitation (if it
exists)?

I took a look at the HTML5 draft (cited by CORS) and couldn't quite
figure this out.

Thanks
Jonathan
Received on Thursday, 11 June 2009 11:36:37 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT