On Wed, 19 Jun 2013 11:27:33 +0200, Anne van Kesteren <[email protected]>
wrote:
On Wed, Jun 19, 2013 at 3:59 PM, Charles McCathie Nevile
<[email protected]> wrote:
On Wed, 19 Jun 2013 06:56:13 +0200, Anne van Kesteren <[email protected]>
wrote:
Downside of that approach is increased attack surface for a suite
[of] applications
Can you please expand on that?
Say you have http://example.org/mail/ and http://example.org/contacts/
Because of the way origin-restrictions work today, if I find an
XSS-exploit for /contacts/, I can get to /mail/'s data too.
"click". OK. Thanks :)
We could maybe make an opt-in change to origin to provide further
robustness to such setups, by allowing path or some such to be added
to the computation of origin. Given the way CORS and such work now I'm
not sure how deployable such a change would be, even if opt-in, but
it's worth exploring I think.
Yeah, I think it is too.
One of the scenarios I have in mind is where a few apps from an origin use
some common stuff. Which is obviously increasing the attack surface in the
way that you mention, but if the same people are forced to use different
origins for stuff that is copy-pasted across then I am not sure we are
really exposing anything new except a requirement to buy more domains...
cheers
--
Charles McCathie Nevile - Consultant (web standards) CTO Office, Yandex
[email protected] Find more at http://yandex.com
