- From: Eduardo Vela <sirdarckcat@gmail.com>
- Date: Mon, 7 Dec 2009 13:03:13 +0800
- To: public-web-security@w3.org
- Message-ID: <8ba534860912062103g1c4643c1w5e8bba659f14e307@mail.gmail.com>
Hi! I am confused about CORS... CORS is for actually "dropping SOP" on certain conditions? or just a XHR thingy.. I mean, this means that if: https://www.example.net/ completely trusts http://www.example.com/ then http://www.example.com/ will be able to access the DOM of a frame on https://www.example.net/? Isn't this dangerous? If for example.. www.bankofamerica.com trusts http://www.google.com/ (maybe because of some API or whatever..) and http://www.google.com/ trusts http://www.youtube.com/and http://www.youtube.com/ trusts http://help.youtube.com/ and then I find a XSS on help.youtube.com, wouldn't I be capable of chaining this trust relationships and XSS bankofamerica? I think that's not what CORS was meant to, but I'm confused since http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0931/draft.html Says: This specification defines an HTTP response header that allows a resource to opt-out of SOP protection for a given HTTP response. So this only applies for XHR? The abstract seems to say that: http://www.w3.org/Security/wiki/CORS but it's not very clear for me.. Sorry.. maybe I'm slow hehe can someone tell me if this is only for XHR or applies to all SOP? Thanks! Greetings!!
Received on Monday, 7 December 2009 05:04:07 UTC