- From: Adam Barth <whatwg@adambarth.com>
- Date: Fri, 28 Aug 2009 01:50:51 -0700
On Fri, Aug 28, 2009 at 1:41 AM, Mike Wilson<mikewse at hotmail.com> wrote: > - this mechanism needs a way to specify the blessed path, > ?maybe something along the lines of document.domain or a > ?response header 1) Document.domain is an abomination. We certainly don't want more features like that. 2) There's a race condition in such a "default insecure" approach: the excluded paths can just XSS the page before it opts in to tighter security. Adam
Received on Friday, 28 August 2009 01:50:51 UTC