Re: What is the same-origin policy for (was Re: The Origin header) from sird@rckc.at on 2009-12-07 (public-web-security@w3.org from December 2009)

From: <sird@rckc.at>
Date: Mon, 7 Dec 2009 16:30:01 +0800
To: Ian Hickson <ian@hixie.ch>
Cc: Devdatta <dev.akhawe@gmail.com>, public-web-security@w3.org
Message-ID: <8ba534860912070030xb7f10b4g4c1d0177472ca412@mail.gmail.com>

Ian, are you aware that that will provide CSS the power to execute
javascript cross-site? (think on XSS).

Right now we can't do this on firefox anymore, because they limited it to
same ___domain, but if this gets implemented then attacker.com will just send
the header so his script will be loaded.

I thought that was the reason moz bindings were disabled in the first place
=/ because noone wanted CSS to execute JS.

Greetings!!

-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Mon, Dec 7, 2009 at 3:28 PM, Ian Hickson <ian@hixie.ch> wrote:

> On Mon, 7 Dec 2009, sird@rckc.at wrote:
> >
> > a.example.com/mozbind.html
> >
> > or
> >
> > b.example.net/binding.xml
>
> Both. a.example.com/mozbind.html has to reference
> b.example.net/binding.xml, and b.example.net/binding.xml has to opt-in to
> supporting a.example.com.
>
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>

Received on Monday, 7 December 2009 08:30:54 UTC