> Now, let's look at threats: > 1. Man in the middle - it's fixed. > 2. Phishing always requires the browser to load attacker's website, so it's > permanently dead here. > 3. Drive-by Download - dead(if applied strictly, unable to download the > executable) > 4. Clickjacking - dead(attacker's web page is unreachable) > 5. Address Spoofing - dead too(just unable to load the fake content) > 6. XSS - almost dead(for attacker, the XSS vulnerability has to be GET, > because POST requires attacker's HTML) > 7. CSRF - almost dead(for attacker, the CSRF vulnerability has to be GET, and > modern web applications simply don't do > important things in GET, because it can be bookmarked etc, too dangerous)
BTW, only allowing Javascript to come from the primary domain over SSL would be a far saner idea, but lets see you get that past Google, facebook and all the other tracking sites? -- KISSIS - Keep It Simple So It's Securable
