[whatwg] origin+path namespacing and security

On Fri, Aug 28, 2009 at 1:41 AM, Mike Wilson<mikewse at hotmail.com> wrote:
> - this mechanism needs a way to specify the blessed path,
> ?maybe something along the lines of document.domain or a
> ?response header

1) Document.domain is an abomination.  We certainly don't want more
features like that.

2) There's a race condition in such a "default insecure" approach: the
excluded paths can just XSS the page before it opts in to tighter
security.

Adam

Received on Friday, 28 August 2009 01:50:51 UTC