- From: Dave Camp <dave.camp@gmail.com>
- Date: Tue, 21 Oct 2008 14:24:24 -0700
On Tue, Oct 21, 2008 at 12:47 PM, Ian Hickson <ian at hixie.ch> wrote: > On Tue, 21 Oct 2008, Dave Camp wrote: >> On Fri, Oct 17, 2008 at 6:36 PM, Ian Hickson <ian at hixie.ch> wrote: >> > Summary of changes: >> >> > * Made application caches scoped to their browsing context, and allowed >> > iframes to start new scopes. By default the contents of an iframe are >> > part of the appcache of the parent, but if you declare a manifest, you >> > get your own cache. >> >> Should this inheritance be subject to the same origin restriction >> enforced while selecting a cache during navigation? > > The same-origin restriction is intended to prevent people from setting up > their manifests such that another site will stop being fetched from the > net. In an iframe, the risk isn't present, since you have to go to the > evil site in the first place, and it has to explicitly pick the victim > site in an iframe. Since you can't tell what the URL of the victim iframe > content is anyway, there's no practical difference between it being on a > remote site or the same site, as far as i can tell. > > No? Yeah, but it does let an evil site persist a potential dom-based xss attack permanently. It still depends on you visiting the evil site repeatedly, though. -dave
Received on Tuesday, 21 October 2008 14:24:24 UTC