Re: XSS mitigation in browsers

> The current text just uses the final URL. �Is there some reason every
> hop is important? �Using the final URL is analogous to how <iframe>
> works, for example.

Yeah, I meant to say it should not settling for checking the initial
URL only (this is a mistake repeated so many times with
XMLHttpRequest, etc, that it's becoming very sad). Last URL is
obviously fine.

> The attacker can always just avoid doing anything that triggers a
> SecurityViolation (because triggering SecurityViolations is useless
> from the attacker's point of view). �The monitoring aspect is mostly
> useful for the non-malicious case: to make sure you're not screwing up
> your policy somehow.

OK, fair point.

/mz

Received on Wednesday, 19 January 2011 23:41:36 UTC