- From: Maciej Stachowiak <mjs@apple.com>
- Date: Fri, 04 Dec 2009 10:00:45 -0800
- To: Mary Ellen Zurko <mzurko@us.ibm.com>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>
- Message-id: <BBD3624F-1CAD-46AC-B78A-383D8DA05F24@apple.com>
On Dec 4, 2009, at 7:36 AM, Mary Ellen Zurko wrote: > > The Origin header as used in HTML5 is at best tangentially related > to > > the same-origin policy. It does depend on the origin notion, but it > > has a different purpose. Same-origin is about preventing Cross-Site > > Scripting (XSS) attacks. Origin (as used in HTML5) primarily helps > to > > mitigate Cross-Site Request Forgery (CSRF) attacks. Same-origin > policy > > is about preventing actions on the client side. Origin is about > > labeling requests to allow the server to optionally use that > > information. > > Not to be a total pedant, but since this is an issue near and dear > to my heart... > > same-origin is about mitigating XSS, not preventing it, right? Since > in web apps that allow users to collaborate with content that might > include (D)HTML, same-origin is of no help at all. right? There's really several kinds of XSS: 1) reflective XSS - site incorporates part of the request (usually the URL) in the response without sufficient escaping, allowing script injection from an attacker 2) persistent XSS - site persistently stores data from an attacker (for example, user-generated content is posted to a social network page or blog comment field) and then includes it in served content, without sufficient checks or escaping to prevent script, allowing script injection from an attacker 3) direct XSS - script from site A running in the browser directly accesses the DOM for content from site B Same-origin policy is intended to prevent the third kind and does not address the first two kinds at all. If browsers did not have the same- origin policy for scripting, then it would be very difficult, perhaps impossible, for sites to prevent type 3. Regards, Maciej
Received on Friday, 4 December 2009 18:01:19 UTC