Re: [cors] Protecting benign but buggy client side code

On Sat, 21 Aug 2010 03:59:09 +0200, Devdatta Akhawe <dev.akhawe@gmail.com>  
wrote:
> It seems that over here facebook is a benign server that some time in
> the past assumed that XHR can only be same origin, and with the
> introduction of cross origin XHR is suddenly vulnerable to XSS. In
> general, a client needs to 'add' stuff to its js to be safe after the
> introduction of XHR. This isn't ideal.

Yeah, this was discussed some time ago on this list already. We decided  
this risk was minor enough, especially now lots of shipping clients expose  
this already.


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Friday, 27 August 2010 11:31:26 UTC