[whatwg] Caching offline Web applications

On Tue, Oct 21, 2008 at 12:47 PM, Ian Hickson <ian at hixie.ch> wrote:
> On Tue, 21 Oct 2008, Dave Camp wrote:
>> On Fri, Oct 17, 2008 at 6:36 PM, Ian Hickson <ian at hixie.ch> wrote:
>> > Summary of changes:
>>
>> >  * Made application caches scoped to their browsing context, and allowed
>> >   iframes to start new scopes. By default the contents of an iframe are
>> >   part of the appcache of the parent, but if you declare a manifest, you
>> >   get your own cache.
>>
>> Should this inheritance be subject to the same origin restriction
>> enforced while selecting a cache during navigation?
>
> The same-origin restriction is intended to prevent people from setting up
> their manifests such that another site will stop being fetched from the
> net. In an iframe, the risk isn't present, since you have to go to the
> evil site in the first place, and it has to explicitly pick the victim
> site in an iframe. Since you can't tell what the URL of the victim iframe
> content is anyway, there's no practical difference between it being on a
> remote site or the same site, as far as i can tell.
>
> No?

Yeah, but it does let an evil site persist a potential dom-based xss
attack permanently.  It still depends on you visiting the evil site
repeatedly, though.

-dave

Received on Tuesday, 21 October 2008 14:24:24 UTC