W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Re: ISSUE-44: Same-origin policy identity query via script-hash. issue is you do a third party inline script with a known script-hash. if it succeeds, you know that the target was as expected, even though you can't read it

From: Mountie Lee <mountie.lee@mw2.or.kr>
Date: Wed, 27 Feb 2013 23:08:04 +0900
Message-ID: <CAE-+aY+HZ8u-kKaiPxEqbhAKipei_zpWtTgPdDCmzV9YW3bNYA@mail.gmail.com>
To: Web Application Security Working Group <public-webappsec@w3.org>
Hi.
I think.

script-hash and script-nonce combination can be answer


On Wed, Feb 27, 2013 at 7:41 AM, Web Application Security Working Group
Issue Tracker <sysbot+tracker@w3.org> wrote:

> ISSUE-44: Same-origin policy identity query via script-hash. issue is you
> do a third party inline script with a known script-hash. if it succeeds,
> you know that the target was as expected, even though you can't read it
>
> http://www.w3.org/2011/webappsec/track/issues/44
>
> Raised by:
> On product:
>
>
>
>
>
>
>
>
>
>
>
>


-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World
Received on Wednesday, 27 February 2013 14:08:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 February 2013 14:08:55 GMT