On Mon, Dec 12, 2011 at 11:25 AM, Yoav Nir <[email protected]> wrote: > On Dec 12, 2011, at 9:13 PM, Murray S. Kucherawy wrote: >>> -----Original Message----- >>> From: Adam Barth [mailto:[email protected]] >>> Sent: Monday, December 12, 2011 11:09 AM >>> To: Murray S. Kucherawy >>> Cc: [email protected] >>> Subject: Re: [websec] Same Origins and email >>> >>> That depends on the MUA. In Gmail, for example, the origin is >>> https://mail.google.com. It depends on the URL the MUA assigns to the >>> HTML document contained in the email. >> >> What about something like Outlook or alpine, where we're not talking about a >> web-based MUA but one that pulls from a local store? > > file://localhost ? > > Although I think HTML you get through the mail should not be scripted by > files on your computer, so maybe each mail item should have its own origin.
The questions you're asking don't really have universal answers. These behaviors aren't standardized and so are likely to vary from MUA to MUA. Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
