- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 19 Jun 2013 18:27:33 +0900
- To: Charles McCathie Nevile <chaals@yandex-team.ru>
- Cc: Marcos Caceres <mcaceres@mozilla.com>, WebApps WG <public-webapps@w3.org>
On Wed, Jun 19, 2013 at 3:59 PM, Charles McCathie Nevile <chaals@yandex-team.ru> wrote: > On Wed, 19 Jun 2013 06:56:13 +0200, Anne van Kesteren <annevk@annevk.nl> > wrote: >> Downside of that approach is increased attack surface for a suite >> [of] applications > > Can you please expand on that? Say you have http://example.org/mail/ and http://example.org/contacts/ Because of the way origin-restrictions work today, if I find an XSS-exploit for /contacts/, I can get to /mail/'s data too. We could maybe make an opt-in change to origin to provide further robustness to such setups, by allowing path or some such to be added to the computation of origin. Given the way CORS and such work now I'm not sure how deployable such a change would be, even if opt-in, but it's worth exploring I think. -- http://annevankesteren.nl/
Received on Wednesday, 19 June 2013 09:28:00 UTC