W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [cors] Protecting benign but buggy client side code

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 27 Aug 2010 13:30:48 +0200
To: public-webapps <public-webapps@w3.org>, "Devdatta Akhawe" <dev.akhawe@gmail.com>
Message-ID: <op.vh3gxmle64w2qv@anne-van-kesterens-macbook-pro.local>
On Sat, 21 Aug 2010 03:59:09 +0200, Devdatta Akhawe <dev.akhawe@gmail.com>  
wrote:
> It seems that over here facebook is a benign server that some time in
> the past assumed that XHR can only be same origin, and with the
> introduction of cross origin XHR is suddenly vulnerable to XSS. In
> general, a client needs to 'add' stuff to its js to be safe after the
> introduction of XHR. This isn't ideal.

Yeah, this was discussed some time ago on this list already. We decided  
this risk was minor enough, especially now lots of shipping clients expose  
this already.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Friday, 27 August 2010 11:31:26 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT