- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 28 Aug 2009 09:34:04 +0200
On Fri, 28 Aug 2009 09:29:55 +0200, Adam Barth <whatwg at adambarth.com> wrote: > On Fri, Aug 28, 2009 at 12:25 AM, Mike Wilson<mikewse at hotmail.com> wrote: >> I see what you mean. The ideal thing would be if we >> could implement path-based security with the same >> construct that adds path-based namespacing. >> >> I realize the problem of backwards-compat, but have >> there been any efforts or definitive conclusions made >> in this area? > > I suspect the scheme+host+port model is too entrenched at this point > to add +path to the origin tuple. Note also that someone on /evilpath/ can simply inject an <iframe> loading /targetpath/ and extract cookies from there via ECMAScript or initiate requests from there, etc. Paths cannot be trusted to provide security. (Maybe the specification should point that out.) -- Anne van Kesteren http://annevankesteren.nl/
Received on Friday, 28 August 2009 00:34:04 UTC