W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2009

[whatwg] Workers and URL origin check

From: Adam Barth <whatwg@adambarth.com>
Date: Thu, 28 May 2009 00:13:21 -0700
Message-ID: <7789133a0905280013r5eed50bk12823c511f47ef33@mail.gmail.com>
On Wed, May 27, 2009 at 5:13 PM, Dmitry Titov <dimich at chromium.org> wrote:
> Should the spec simply require the redirected, final URLs to be checked
> against parent's and reject the script if redirection results in a different
> origin?

I suspect the correct behavior is to make sure every URL on the
redirect chain is from the same origin as the original document.
Letting the attacker redirect to the request to an arbitrary URL in
the victim's origin in a recipe for disaster.

Adam
Received on Thursday, 28 May 2009 00:13:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:49 UTC