- From: Daniel Holbert <dholbert@mozilla.com>
- Date: Tue, 09 Apr 2013 09:32:26 -0700
- To: Dirk Schulze <dschulze@adobe.com>, Anne van Kesteren <annevk@annevk.nl>
- CC: "robert@ocallahan.org" <robert@ocallahan.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 04/09/2013 06:51 AM, Dirk Schulze wrote: > > On Apr 9, 2013, at 6:49 AM, Anne van Kesteren <annevk@annevk.nl> wrote: >> I suggest reading carefully through the bug Robert referenced and my >> analyses in response. We discussed exactly this. > > Great! To be honest it is a bit hard to follow. (The relevant comments on the bug are comment 0 and comment 3. Comment 0 includes some attack scenarios, including one along the lines of your Twitter avatar example, and Comment 3 mentions that same-origin restrictions won't help, given that many sites have open redirectors hosted at a same-origin URL.) ~Daniel
Received on Tuesday, 9 April 2013 16:32:54 UTC