On Mon, Jan 25, 2010 at 1:29 AM, Adam Barth <wha...@adambarth.com> wrote: > That depends what information the attacker encodes in the host name. > Recall that we're imaging the attacker gets to run JavaScript within > the sandbox
If we're assuming that, then yes, it's probably hopeless. But are we assuming that? The given use-case was webmail -- that would be expected to disable scripts in the sandbox, no? > The point is that stopping exfiltration is a losing battle that we > shouldn't bother to play. Even if scripting is disabled?