- From: Mary Ellen Zurko <mzurko@us.ibm.com>
- Date: Fri, 4 Dec 2009 10:36:07 -0500
- To: "Maciej Stachowiak <mjs" <mjs@apple.com>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Received on Friday, 4 December 2009 15:35:29 UTC
> The Origin header as used in HTML5 is at best tangentially related to > the same-origin policy. It does depend on the origin notion, but it > has a different purpose. Same-origin is about preventing Cross-Site > Scripting (XSS) attacks. Origin (as used in HTML5) primarily helps to > mitigate Cross-Site Request Forgery (CSRF) attacks. Same-origin policy > is about preventing actions on the client side. Origin is about > labeling requests to allow the server to optionally use that > information. Not to be a total pedant, but since this is an issue near and dear to my heart... same-origin is about mitigating XSS, not preventing it, right? Since in web apps that allow users to collaborate with content that might include (D)HTML, same-origin is of no help at all. right?
Received on Friday, 4 December 2009 15:35:29 UTC