- From: Odin Hørthe Omdal <odinho@opera.com>
- Date: Wed, 04 Jul 2012 10:51:25 +0200
- To: "Web Application Security Working Group" <public-webappsec@w3.org>
On Tue, 03 Jul 2012 23:43:15 +0200, Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org> wrote: > webappsec-ISSUE-15 (SRCDOC, BLOB, ETC): How to handle srcdoc, blob:, di: > and ways of directly creating content > http://www.w3.org/2011/webappsec/track/issues/15 > Raised by: Brad Hill > On product: > http://lists.w3.org/Archives/Public/public-whatwg-archive/2012May/0100.html > How to handle "inline" content either by attribute or URI schemes that > specify content or origin-ambigious pointers to content needs to be > documented. This may provide a way for injected content to add > unauthorized content if such content does not inherit the parent's CSP > policies, for example. I understood it so that they get an Global Unique Identifier as Origin. More often we know the GUID as 'null' because that's what it serializes to, however, internally it's supposed to be a truly unique number. As long as it doesn't just store Origin 'null' for everything so that 'null' === 'null' in the code, same-origin defences will (hopefully) kick in. Definitely be worth taking a closer look at though. Something you have on your agenda already, Brad? :-) -- Odin Hørthe Omdal (Velmont/odinho) · Core, Opera Software, http://opera.com
Received on Wednesday, 4 July 2012 08:51:59 UTC