On Wed, Jun 19, 2013 at 3:59 PM, Charles McCathie Nevile <[email protected]> wrote: > On Wed, 19 Jun 2013 06:56:13 +0200, Anne van Kesteren <[email protected]> > wrote: >> Downside of that approach is increased attack surface for a suite >> [of] applications > > Can you please expand on that?
Say you have http://example.org/mail/ and http://example.org/contacts/ Because of the way origin-restrictions work today, if I find an XSS-exploit for /contacts/, I can get to /mail/'s data too. We could maybe make an opt-in change to origin to provide further robustness to such setups, by allowing path or some such to be added to the computation of origin. Given the way CORS and such work now I'm not sure how deployable such a change would be, even if opt-in, but it's worth exploring I think. -- http://annevankesteren.nl/
