- From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
- Date: Wed, 1 Jul 2009 09:23:12 -0400
- To: ext Anne van Kesteren <annevk@opera.com>
- Cc: Frederick Hirsch <Frederick.Hirsch@nokia.com>, public-webapps WG <public-webapps@w3.org>
So the issue is not confidentiality, it is inappropriate script execution. Got it. Thanks Anne regards, Frederick Frederick Hirsch Nokia On Jul 1, 2009, at 5:34 AM, ext Anne van Kesteren wrote: > I might not have time to address your larger set of questions before I > leave on vacation tomorrow, but I thought I could at least answer > this one. > > On Tue, 30 Jun 2009 17:38:20 +0200, Frederick Hirsch > <Frederick.Hirsch@nokia.com> wrote: >> One additional question regarding a cross-site get (using browser >> here >> for simplicity of terms) (for example, see [1]) >> >> Is it true that >> >> 1. the GET results in the content being returned on the wire with a >> Access-Control-Allow-Origin header >> 2. the browser then checks this header and enforces policy >> 3. if policy disallows then the browser does not allow the content >> to be >> used. > > Yes, this is correct. > > >> In any case, doesn't this open an attack to get the content by >> sniffing >> the wire for the response content, regardless of the header? > > If that is a viable attack scenario such servers are already exposed > due > to e.g. cross-origin <img> or <iframe> loading which already works > today. > Or e.g. by simply setting window.location to the address from which > you > want to sniff the response. > > All the header is effectively protecting is exposing the "raw" > contents of > a cross-origin resource to script. > > >> [1] http://arunranga.com/examples/access-control/SimpleXSInvocation.txt > > > -- > Anne van Kesteren > http://annevankesteren.nl/
Received on Wednesday, 1 July 2009 13:24:31 UTC