- From: Michael Nordman <michaeln@google.com>
- Date: Mon, 7 Feb 2011 15:46:37 -0800
On Mon, Feb 7, 2011 at 3:27 PM, Jonas Sicking <jonas at sicking.cc> wrote: > On Mon, Jan 31, 2011 at 6:27 PM, Michael Nordman <michaeln at google.com> wrote: >> But... the risk you outline is not possible... >> >>> However, with the modification you are proposing, an attacker site >>> could forever pin this page the users app-cache. This means that if >>> there is a security bug in the page, the attacker site could exploit >>> that security problem forever since any javascript in the page will >>> continue to run in the security context of bunnies.com. So all of a >>> sudden the CORS headers that the site added has now had a severe >>> security impact. >> >> The bunnies.com page stored in the attacker's appcache will never be >> loaded into the context of bunnies.com. There are provisions in the >> the appcache system to prevent that. Those provisions guard against a >> this type of attack via HTTP. > > Your proposal means that we forever lock that constraint on the > appcache. That is not currently the case. I.e. we'll never be able to > say "open an iframe using the resource which is available in my > appcache" or "open this cross-site worker using the resource available > in my appcache". > > Or at least we won't ever be able to do that for cross-site resources. I don't see how this would lock us in. As Ian points out, that limitation in the current design is intentional. Right now, I'm looking to work within the constraints of the current design to unhinder HTTPS. If and when we add the capability you describe (to execute cross-origin appcached content in the context of the originating origin), whatever protocols are designed to allow that for HTTP should also apply to HTTPS resources. Simply being CORS'able would not be sufficient to grant "execute" rights.
Received on Monday, 7 February 2011 15:46:37 UTC