- From: Mike Wilson <mikewse@hotmail.com>
- Date: Fri, 28 Aug 2009 11:17:36 +0200
Adam Barth wrote: > Mike Wilson<mikewse at hotmail.com> wrote: > > - this mechanism needs a way to specify the blessed path, > > ?maybe something along the lines of document.domain or a > > ?response header > > 1) Document.domain is an abomination. We certainly don't want more > features like that. > > 2) There's a race condition in such a "default insecure" approach: the > excluded paths can just XSS the page before it opts in to tighter > security. I also wrote: > > My chain of thoughts is something like below (this > > is just a general picture so don't take it too > > literally): so please feel welcome to provide alternatives instead of just killing the provided analogies. But more interesting is, are you saying that it is not possible, under any circumstance, to design a secure opt-in mechanism in this case? My belief was that security information delivered before the actual document contents (like a response header) could activate the desired security level before creation of the related JS context. Best regards Mike
Received on Friday, 28 August 2009 02:17:36 UTC