- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 25 Jun 2012 15:17:05 -0400
- To: Ian Hickson <ian@hixie.ch>
- CC: Bobby Holley <bobbyholley@gmail.com>, public-script-coord@w3.org, w3c@adambarth.com, Johnny Stenback <jst@mozilla.com>, Blake Kaplan <mrbkap@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
On 6/22/12 7:07 PM, Ian Hickson wrote: > There's lots of other ways to screw it up, e.g. anything on > foo.example.com that reflects HTML back, even if it checks the origin of > the submitter, would end up letting B run code in A's origin, letting C do > whatever it wants with B I don't follow this. > Similarly, anything on any other port on any > other subdomain of example.com can now access A and B. No, A and C. Can't access B. > In general, authors should IMHO assume that if they've set document.domain to let another > origin's pages access them, they've given access to the entire origin. They don't assume that right now, and if it actually worked that way some things would be pretty broken. > If that's not acceptable, then they shouldn't use document.domain, but should > instead use one of the more secure mechanisms like postMessage(). That doesn't help with existing content. -Boris
Received on Monday, 25 June 2012 19:17:38 UTC