- From: Devdatta <dev.akhawe@gmail.com>
- Date: Sun, 6 Dec 2009 21:09:39 -0800
- To: sird@rckc.at
- Cc: public-web-security@w3.org
My reading of the CORS spec tells me it is just XHR (basically the XHR object can now do cross origin requests and read the response under specific conditions). I don't think it removes the same origin scripting restrictions that you are concerned about. Cheers Devdatta 2009/12/6 Eduardo Vela <sirdarckcat@gmail.com>: > Hi! > > I am confused about CORS... CORS is for actually "dropping SOP" on certain > conditions? or just a XHR thingy.. > > I mean, this means that if: > > https://www.example.net/ > > completely trusts http://www.example.com/ then http://www.example.com/ will > be able to access the DOM of a frame on https://www.example.net/? > > Isn't this dangerous? > > If for example.. > > www.bankofamerica.com trusts http://www.google.com/ (maybe because of some > API or whatever..) and http://www.google.com/ trusts http://www.youtube.com/ > and http://www.youtube.com/ trusts http://help.youtube.com/ and then I find > a XSS on help.youtube.com, wouldn't I be capable of chaining this trust > relationships and XSS bankofamerica? > > I think that's not what CORS was meant to, but I'm confused since > http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0931/draft.html > > Says: > This specification defines an HTTP response header that allows a resource to > opt-out of SOP protection for a given HTTP response. > > So this only applies for XHR? The abstract seems to say that: > http://www.w3.org/Security/wiki/CORS but it's not very clear for me.. > Sorry.. maybe I'm slow hehe can someone tell me if this is only for XHR or > applies to all SOP? > > Thanks! > > Greetings!! >
Received on Monday, 7 December 2009 05:10:32 UTC