- From: Charles McCathie Nevile <chaals@yandex-team.ru>
- Date: Wed, 19 Jun 2013 12:39:59 +0200
- To: "Anne van Kesteren" <annevk@annevk.nl>
- Cc: "Marcos Caceres" <mcaceres@mozilla.com>, "WebApps WG" <public-webapps@w3.org>
On Wed, 19 Jun 2013 11:27:33 +0200, Anne van Kesteren <annevk@annevk.nl>
wrote:
> On Wed, Jun 19, 2013 at 3:59 PM, Charles McCathie Nevile
> <chaals@yandex-team.ru> wrote:
>> On Wed, 19 Jun 2013 06:56:13 +0200, Anne van Kesteren <annevk@annevk.nl>
>> wrote:
>>> Downside of that approach is increased attack surface for a suite
>>> [of] applications
>>
>> Can you please expand on that?
>
> Say you have http://example.org/mail/ and http://example.org/contacts/
> Because of the way origin-restrictions work today, if I find an
> XSS-exploit for /contacts/, I can get to /mail/'s data too.
"click". OK. Thanks :)
> We could maybe make an opt-in change to origin to provide further
> robustness to such setups, by allowing path or some such to be added
> to the computation of origin. Given the way CORS and such work now I'm
> not sure how deployable such a change would be, even if opt-in, but
> it's worth exploring I think.
Yeah, I think it is too.
One of the scenarios I have in mind is where a few apps from an origin use
some common stuff. Which is obviously increasing the attack surface in the
way that you mention, but if the same people are forced to use different
origins for stuff that is copy-pasted across then I am not sure we are
really exposing anything new except a requirement to buy more domains...
cheers
--
Charles McCathie Nevile - Consultant (web standards) CTO Office, Yandex
chaals@yandex-team.ru Find more at http://yandex.com
Received on Wednesday, 19 June 2013 10:40:32 UTC