- From: Henrik Nordström <henrik@henriknordstrom.net>
- Date: Thu, 10 May 2012 07:17:40 +0200
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: Peter Saint-Andre <stpeter@stpeter.im>, Thomas Roessler <tlr@w3.org>, public-web-security <public-web-security@w3.org>, Andrew Sullivan <ajs@anvilwalrusden.com>
ons 2012-05-09 klockan 22:10 -0700 skrev Maciej Stachowiak: > Treating separate domains as same-origin based on DNS records seems > extremely dangerous, with little counter-balancing benefit (it would > not actually be usable until implemented in a large majority of > browsers, and there's safer ways to communicate between different > origins). In addition to the obvious XSS dangers, consider also how > this feature might combine with DNS rebinding attacks. Further, the user-agent may be using proxies, not using or even having access to DNS. Regards Henrik
Received on Thursday, 10 May 2012 05:18:33 UTC