- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 4 Dec 2009 08:13:38 -0800
- To: Mary Ellen Zurko <mzurko@us.ibm.com>
- Cc: "Maciej Stachowiak <mjs" <mjs@apple.com>, "public-web-security@w3.org" <public-web-security@w3.org>
On Fri, Dec 4, 2009 at 7:36 AM, Mary Ellen Zurko <mzurko@us.ibm.com> wrote: > Not to be a total pedant, but since this is an issue near and dear to my > heart... > > same-origin is about mitigating XSS, not preventing it, right? Since in web > apps that allow users to collaborate with content that might include > (D)HTML, same-origin is of no help at all. right? The same-origin policy is somewhat of a "catch-all" phrase the refers to the security limitations we impose on web content to let users visit untrusted web sites securely. Among other things, the same-origin policy prevents web sites from writing arbitrary files to your hard drive and prevents malicious web sites from disrupting the confidentiality or integrity of your sessions with honest web sites. It's possible one could imagine inventing other terms to denote various pieces of this broad landscape, but there's already more terms in web security that we need. :) Adam
Received on Friday, 4 December 2009 16:14:41 UTC