W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > October 2011

[Bug 14392] Remove locked same-origin policy from HTML5 spec

From: <bugzilla@jessica.w3.org>
Date: Wed, 05 Oct 2011 19:48:48 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1RBXSS-0001N4-VG@jessica.w3.org>

Collin Jackson <w3c@collinjackson.com> changed:

           What    |Removed                     |Added
            Summary|This is not an effective    |Remove locked same-origin
                   |way to isolate documents if |policy from HTML5 spec
                   |they import script via      |
                   |relative URLs or have forms |
                   |that submit to relative     |
                   |URLs, so it seems dangerous |
                   |to include in the HTML5     |
                   |spec. See                   |
                   |http://w2spconf.com/2008/pa |
                   |pers/s2p1.pdf               |

--- Comment #1 from Collin Jackson <w3c@collinjackson.com> 2011-10-05 19:48:48 UTC ---
The specific text is:

In addition, if the URL is in fact associated with a Document object that was
created by parsing the resource obtained from fetching URL, and this was done
over a secure connection, then the server's secure certificate may be added to
the origin as additional data.

This "locked same-origin policy" was originally proposed in by Karlof et al in
"Dynamic pharming attacks and locked same-origin policies for web browsers"
(CCS 2007).

However, locked SOP is not an effective way to isolate documents if they import
script via relative URLs or have forms that submit to relative URLs. See

Because it's so hard to use securely, it seems dangerous to include in the
HTML5 spec.

Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 5 October 2011 19:48:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:02:05 UTC