Re: XSS mitigation in browsers

> The current text just uses the final URL.  Is there some reason every
> hop is important?  Using the final URL is analogous to how <iframe>
> works, for example.

Yeah, I meant to say it should not settling for checking the initial
URL only (this is a mistake repeated so many times with
XMLHttpRequest, etc, that it's becoming very sad). Last URL is
obviously fine.

> The attacker can always just avoid doing anything that triggers a
> SecurityViolation (because triggering SecurityViolations is useless
> from the attacker's point of view).  The monitoring aspect is mostly
> useful for the non-malicious case: to make sure you're not screwing up
> your policy somehow.

OK, fair point.


Received on Wednesday, 19 January 2011 23:41:36 UTC