Re: What is the same-origin policy for (was Re: The Origin header) from sird@rckc.at on 2009-12-07 (public-web-security@w3.org from December 2009)

From: <sird@rckc.at>
Date: Mon, 7 Dec 2009 14:41:21 +0800
To: Devdatta <dev.akhawe@gmail.com>
Cc: public-web-security@w3.org
Message-ID: <8ba534860912062241s3c72f8eai5eba38b7dfdc8a7b@mail.gmail.com>

Oh I just reread Use Cases.. quoting:

> An XBL binding allows the document to which it is bound to have full
access to the document in which it is defined. To prevent data theft
cross-origin<http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0914/draft.html#cross-origin>XBL
usage is therefore prohibited. The uniform messaging policy enables
cross-origin<http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0914/draft.html#cross-origin>XBL
bindings. If the user is authorized to use the XBL widget, it is
possible to have user-specific
cross-origin<http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0914/draft.html#cross-origin>bindings.
[XBL]<http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0914/draft.html#ref-xbl>

So who allows the binding here?

a.example.com/mozbind.html

or

b.example.net/binding.xml

Obviously it must be a.example.com (right?) so, now.. a.example.com can
"bind" b.example.net bindings.. because a.example.com trusts b.example.net.

So this only applies for bindings or also for DOM?

Greetz!!

-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Mon, Dec 7, 2009 at 1:09 PM, Devdatta <dev.akhawe@gmail.com> wrote:

> My reading of the CORS spec tells me it is just XHR (basically the XHR
> object can now do cross origin requests and read the response under
> specific conditions). I don't think it removes the same origin
> scripting restrictions that you are concerned about.
>
> Cheers
> Devdatta
>
> 2009/12/6 Eduardo Vela <sirdarckcat@gmail.com>:
> > Hi!
> >
> > I am confused about CORS... CORS is for actually "dropping SOP" on
> certain
> > conditions? or just a XHR thingy..
> >
> > I mean, this means that if:
> >
> > https://www.example.net/
> >
> > completely trusts http://www.example.com/ then http://www.example.com/will
> > be able to access the DOM of a frame on https://www.example.net/?
> >
> > Isn't this dangerous?
> >
> > If for example..
> >
> > www.bankofamerica.com trusts http://www.google.com/ (maybe because of
> some
> > API or whatever..) and http://www.google.com/ trusts
> http://www.youtube.com/
> > and http://www.youtube.com/ trusts http://help.youtube.com/ and then I
> find
> > a XSS on help.youtube.com, wouldn't I be capable of chaining this trust
> > relationships and XSS bankofamerica?
> >
> > I think that's not what CORS was meant to, but I'm confused since
> >
> http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0931/draft.html
> >
> > Says:
> > This specification defines an HTTP response header that allows a resource
> to
> > opt-out of SOP protection for a given HTTP response.
> >
> > So this only applies for XHR? The abstract seems to say that:
> > http://www.w3.org/Security/wiki/CORS but it's not very clear for me..
> > Sorry.. maybe I'm slow hehe can someone tell me if this is only for XHR
> or
> > applies to all SOP?
> >
> > Thanks!
> >
> > Greetings!!
> >
>

Received on Monday, 7 December 2009 06:42:15 UTC