- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 7 Feb 2008 23:05:31 +0000 (UTC)
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: Jonas Sicking <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
On Thu, 7 Feb 2008, Close, Tyler J. wrote: > > The current design clearly doesn't provide any such protection since the > _user_'s consent is not required for the third-party site to issue the > cross-domain request. Just because a third-party site wants to delete my > email and has the permission to do so with my consent, doesn't mean it > should be allowed to go ahead and do so without my consent. The current > design never requires the user's consent to wield the user's authority. A victim site that trusts a hostile site is as likely to expose a user to this kind of attack today as it is with Access-Control. Again, I don't see any way to prevent such an attack when the victim site is misconfigured. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 7 February 2008 23:05:47 UTC