- From: Michael Smith via cvs-syncmail <cvsmail@w3.org>
- Date: Wed, 27 Jan 2010 22:37:03 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec-author-view In directory hutz:/tmp/cvs-serv4662 Modified Files: Overview.html acknowledgements.html iana.html spec.html Log Message: Mention same-origin attacks and the importance of compartmentalization. (whatwg r4629) [updated by splitter] Index: Overview.html =================================================================== RCS file: /sources/public/html5/spec-author-view/Overview.html,v retrieving revision 1.619 retrieving revision 1.620 diff -u -d -r1.619 -r1.620 --- Overview.html 27 Jan 2010 08:36:59 -0000 1.619 +++ Overview.html 27 Jan 2010 22:37:00 -0000 1.620 @@ -283,7 +283,7 @@ </dl><p>This specification is available in the following formats: <a href="spec.html">single page HTML</a>, <a href="Overview.html">multipage HTML</a>. -This is revision 1.3689. +This is revision 1.3690. </p> <p class="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2009 <a href="http://www.w3.org/"><abbr title="World Wide Index: iana.html =================================================================== RCS file: /sources/public/html5/spec-author-view/iana.html,v retrieving revision 1.19 retrieving revision 1.20 diff -u -d -r1.19 -r1.20 --- iana.html 14 Jan 2010 08:12:45 -0000 1.19 +++ iana.html 27 Jan 2010 22:37:00 -0000 1.20 @@ -331,6 +331,21 @@ Internet. This can expose local network topologies that the attacker would otherwise not be able to determine.</p> + <p>HTML relies on a compartmentalization scheme sometimes known as + the <i>same-origin policy</i>. An <a href="#origin">origin</a> in most + cases consists of all the pages served from the same host, on the + same port, using the same protocol.</p> + + <p>It is critical, therefore, to ensure that any untrusted content + that forms part of a site be hosted on a different + <a href="#origin">origin</a> than any sensitive content on that site. + Untrusted content can easily spoof any other page on the same + origin, read data from that origin, cause scripts in that origin + to execute, submit forms to and from that origin even if they are + protected from cross-site request forgery attacks by unique + tokens, and make use of any third-party resources exposed to or + rights granted to that origin.</p> + </dd> <dt>Interoperability considerations:</dt> <dd> Index: spec.html =================================================================== RCS file: /sources/public/html5/spec-author-view/spec.html,v retrieving revision 1.624 retrieving revision 1.625 diff -u -d -r1.624 -r1.625 --- spec.html 27 Jan 2010 08:36:59 -0000 1.624 +++ spec.html 27 Jan 2010 22:37:00 -0000 1.625 @@ -281,7 +281,7 @@ </dl><p>This specification is available in the following formats: <a href=spec.html>single page HTML</a>, <a href=Overview.html>multipage HTML</a>. -This is revision 1.3689. +This is revision 1.3690. </p> <p class=copyright><a href=http://www.w3.org/Consortium/Legal/ipr-notice#Copyright>Copyright</a> © 2009 <a href=http://www.w3.org/><abbr title="World Wide @@ -24900,6 +24900,21 @@ Internet. This can expose local network topologies that the attacker would otherwise not be able to determine.</p> + <p>HTML relies on a compartmentalization scheme sometimes known as + the <i>same-origin policy</i>. An <a href=#origin>origin</a> in most + cases consists of all the pages served from the same host, on the + same port, using the same protocol.</p> + + <p>It is critical, therefore, to ensure that any untrusted content + that forms part of a site be hosted on a different + <a href=#origin>origin</a> than any sensitive content on that site. + Untrusted content can easily spoof any other page on the same + origin, read data from that origin, cause scripts in that origin + to execute, submit forms to and from that origin even if they are + protected from cross-site request forgery attacks by unique + tokens, and make use of any third-party resources exposed to or + rights granted to that origin.</p> + </dd> <dt>Interoperability considerations:</dt> <dd> @@ -28366,6 +28381,7 @@ Ben Leslie, Ben Meadowcroft, Ben Millard, + Benjamin Carl Wiley Sittler, Benjamin Hawkes-Lewis, Bert Bos, Bijan Parsia, Index: acknowledgements.html =================================================================== RCS file: /sources/public/html5/spec-author-view/acknowledgements.html,v retrieving revision 1.563 retrieving revision 1.564 diff -u -d -r1.563 -r1.564 --- acknowledgements.html 21 Jan 2010 00:11:15 -0000 1.563 +++ acknowledgements.html 27 Jan 2010 22:37:00 -0000 1.564 @@ -325,6 +325,7 @@ Ben Leslie, Ben Meadowcroft, Ben Millard, + Benjamin Carl Wiley Sittler, Benjamin Hawkes-Lewis, Bert Bos, Bijan Parsia,
Received on Wednesday, 27 January 2010 22:37:05 UTC