W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: webappsec-ISSUE-15 (SRCDOC, BLOB, ETC): How to handle srcdoc, blob:, di: and ways of directly creating content

From: Odin Hørthe Omdal <odinho@opera.com>
Date: Wed, 04 Jul 2012 10:51:25 +0200
To: "Web Application Security Working Group" <public-webappsec@w3.org>
Message-ID: <op.wgwyvz1p49xobu@odinho-fido.oslo.osa>
On Tue, 03 Jul 2012 23:43:15 +0200, Web Application Security Working Group  
Issue Tracker <sysbot+tracker@w3.org> wrote:

> webappsec-ISSUE-15 (SRCDOC, BLOB, ETC): How to handle srcdoc, blob:, di:  
> and ways of directly creating content
> http://www.w3.org/2011/webappsec/track/issues/15
> Raised by: Brad Hill
> On product:
> http://lists.w3.org/Archives/Public/public-whatwg-archive/2012May/0100.html
> How to handle "inline" content either by attribute or URI schemes that  
> specify content or origin-ambigious pointers to content needs to be  
> documented.  This may provide a way for injected content to add  
> unauthorized content if such content does not inherit the parent's CSP  
> policies, for example.


I understood it so that they get an Global Unique Identifier as Origin.  
More often we know the GUID as 'null' because that's what it serializes  
to, however, internally it's supposed to be a truly unique number. As long  
as it doesn't just store Origin 'null' for everything so that 'null' ===  
'null' in the code, same-origin defences will (hopefully) kick in.

Definitely be worth taking a closer look at though. Something you have on  
your agenda already, Brad? :-)

-- 
Odin Hørthe Omdal (Velmont/odinho) · Core, Opera Software, http://opera.com
Received on Wednesday, 4 July 2012 08:51:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 4 July 2012 08:51:59 GMT