On Fri, Aug 28, 2009 at 1:41 AM, Mike Wilson<[email protected]> wrote: > - this mechanism needs a way to specify the blessed path, > maybe something along the lines of document.domain or a > response header
1) Document.domain is an abomination. We certainly don't want more features like that. 2) There's a race condition in such a "default insecure" approach: the excluded paths can just XSS the page before it opts in to tighter security. Adam
