W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Redirect and Origin

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 10 Jun 2009 13:15:41 +0200
To: "Tyler Close" <tyler.close@gmail.com>, "Jonas Sicking" <jonas@sicking.cc>
Cc: "Adam Barth" <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
Message-ID: <op.uva2wfjl64w2qv@annevk-t60>
On Wed, 10 Jun 2009 01:01:01 +0200, Tyler Close <tyler.close@gmail.com> wrote:
> http://waterken.sourceforge.net/aclsdont/
> All of the vulnerabilities discussed in that paper also apply in the
> web browser context. In addition, the situation is worse, since not
> all stack frames are visible to the browser, since it only sees
> interactions at the granularity of origins. For example, in a Caja,
> ADsafe or Facebook scenario where widgets are running in the same
> page, stack introspection of origins is useless, since there's only
> the one origin. This whole approach is a dead end for where the Web is
> today and is going tomorrow.

I think for those scenarios you really want to use a sandboxed <iframe> so the code from ads gets its own origin and can only communicate with the main page through messages. If sandboxed <iframe>s are adopted that would also change your prediction of where the Web is going if I understand your point correctly.

Anne van Kesteren
Received on Wednesday, 10 June 2009 11:16:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC