Re: CORS from Florian Bösch on 2017-10-10 (public-webapps@w3.org from October to December 2017)

From: Florian Bösch <pyalot@gmail.com>
Date: Tue, 10 Oct 2017 18:18:58 +0200
To: Travis Leithead <travis.leithead@microsoft.com>
Cc: "Jack (Zhan, Hua Ping)" <jackiszhp@gmail.com>, "public-webapps@w3.org" <public-webapps@w3.org>, Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CAOK8ODgq1_uKb78XXZdGzGrSJLTBkX7yqJuqSQCH+DB+dVmh2g@mail.gmail.com>

On Tue, Oct 10, 2017 at 5:33 PM, Travis Leithead <
travis.leithead@microsoft.com> wrote:

> While the Adobe solution you mention below seems OK at first, note that
> the requestor for permissions is self-granting the permission. In other
> words, it would be just as easy for: https://evil.com/ to add <meta
> name="sameOrigin" content="https://popularbank.com" /> and grant
> permission to itself to access your bank. A self-granting permission model
> just isn't secure--the permission grant must come from the resource being
> requested.


Was about to point that out. Never heard about Adobes approach, but you'd
think that overtime Adobe would get security right. Apparently not.

Received on Tuesday, 10 October 2017 16:19:22 UTC