On Fri, 28 Aug 2009 09:29:55 +0200, Adam Barth <[email protected]>
wrote:
On Fri, Aug 28, 2009 at 12:25 AM, Mike Wilson<[email protected]> wrote:
I see what you mean. The ideal thing would be if we
could implement path-based security with the same
construct that adds path-based namespacing.
I realize the problem of backwards-compat, but have
there been any efforts or definitive conclusions made
in this area?
I suspect the scheme+host+port model is too entrenched at this point
to add +path to the origin tuple.
Note also that someone on /evilpath/ can simply inject an <iframe> loading
/targetpath/ and extract cookies from there via ECMAScript or initiate
requests from there, etc. Paths cannot be trusted to provide security.
(Maybe the specification should point that out.)
--
Anne van Kesteren
http://annevankesteren.nl/
