- From: Phani <pklanka@gmail.com>
- Date: Mon, 1 Aug 2011 17:09:54 +0530
- To: public-webapps@w3.org
- Message-ID: <CAC47B0vs3TWGbrYO6ozZF2w5R_SCVfkUGbFFNvE-eCpcRKvdWA@mail.gmail.com>
Hello list While we are still at CORS - could we have something like a reverse CORS - that means a original server should explicitly allow a scripts loaded from external domain. Having only CORS does prevent the data from being hijacked / information being sent to another domain. Example - If an attacker owns a domain to which the information is passed, the domain could as well respond with complete set of required headers and receive the information (or an attacker could do a simple GET request and post the cookie / other values and steal the information. The idea is to work on something on levels of reverse CORS. Which means if an attacker has modified the page to include a JS file within the site - the browser would check the parent server from which the page has loaded to check if it can load scripts from that domain - something like a reverse verification. (which the browser validates from parent domain). Does that make sense. Is there an alternative already? regards Phani Lanka
Received on Tuesday, 2 August 2011 09:06:58 UTC