- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 04 Dec 2009 14:51:17 -0800
- To: Mary Ellen Zurko <mzurko@us.ibm.com>
- CC: "Maciej Stachowiak <mjs" <mjs@apple.com>, "public-web-security@w3.org" <public-web-security@w3.org>
On 12/4/09 7:36 AM, Mary Ellen Zurko wrote: >> Same-origin is about preventing Cross-Site Scripting (XSS) attacks. > > Not to be a total pedant, but since this is an issue near and dear to my > heart... > > same-origin is about mitigating XSS, not preventing it, right? Since in > web apps that allow users to collaborate with content that might include > (D)HTML, same-origin is of no help at all. right? The same-origin policy has been so effective at preventing direct scripting across sites that most "XSS" attacks people are familiar with have been various ways of injecting the code into the victim site through site flaws, bypassing the browsers' same-origin checks. But every new client feature has to take the same-origin policy carefully into account to avoid creating new client-side XSS avenues.
Received on Friday, 4 December 2009 22:52:05 UTC