- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Thu, 03 Dec 2009 13:35:52 -0800
- To: Adam Barth <w3c@adambarth.com>
- CC: Tyler Close <tyler.close@gmail.com>, Daniel Stenberg <daniel@haxx.se>, Joe Gregorio <joe@bitworking.org>, "Manger, James H" <James.H.Manger@team.telstra.com>, public-web-security@w3.org
On 12/3/09 1:26 PM, Adam Barth wrote: > Imagine frame A is from foo.example.com and frame B is from > bar.example.com. Now, both set their document.domain to > "example.com". Once they do this, they can script each other, so > frame A injects a script tag into frame B. When that script runs, it > can make a PUT request to bar.example.com with XMLHttpRequest. Ah right. I got "example.com" stuck in my head and thought you were PUTing to that.
Received on Thursday, 3 December 2009 21:36:33 UTC