Re: ISSUE-44: Same-origin policy identity query via script-hash. issue is you do a third party inline script with a known script-hash. if it succeeds, you know that the target was as expected, even though you can't read it from Mountie Lee on 2013-02-27 (public-webappsec@w3.org from February 2013)

From: Mountie Lee <mountie.lee@mw2.or.kr>
Date: Wed, 27 Feb 2013 23:08:04 +0900
To: Web Application Security Working Group <public-webappsec@w3.org>
Message-ID: <CAE-+aY+HZ8u-kKaiPxEqbhAKipei_zpWtTgPdDCmzV9YW3bNYA@mail.gmail.com>

Hi.
I think.

script-hash and script-nonce combination can be answer

On Wed, Feb 27, 2013 at 7:41 AM, Web Application Security Working Group
Issue Tracker <sysbot+tracker@w3.org> wrote:

> ISSUE-44: Same-origin policy identity query via script-hash. issue is you
> do a third party inline script with a known script-hash. if it succeeds,
> you know that the target was as expected, even though you can't read it
>
> http://www.w3.org/2011/webappsec/track/issues/44
>
> Raised by:
> On product:
>
>
>
>
>
>
>
>
>
>
>
>

-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World

Received on Wednesday, 27 February 2013 14:08:54 UTC