- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Sun, 18 Aug 2013 12:54:10 -0700
- To: Mike Shema <mshema@qualys.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Sunday, 18 August 2013 19:54:59 UTC
> This is intended to affect cross-origin requests made by a browser. In your proposal, what constitutes a cross-origin request? While the case of <iframe> or <script> subresources are clear, would a 'self' policy prevent third-party sites from as little as providing a fully-working link to a protected application? What would be the behavior for requests made from origins such as data:text/html,...? Note a possible incompatibility between meta referrer=never and preflight requests. Also note that such protections would be inherently ineffective for GET XSRF on sites that: 1) Use internal redirectors. Any sites that accepts something like /foo?returnURL=/local_path/ (this does not have to be an open redirector, just a site-scoped one) would be vulnerable. 2) Permit user-controlled links of any sort (webmail systems, social networks, online forums, and a good chunk of other complex web apps). /mz
Received on Sunday, 18 August 2013 19:54:59 UTC