Adam Barth wrote: > Mike Wilson<[email protected]> wrote: > > - this mechanism needs a way to specify the blessed path, > > maybe something along the lines of document.domain or a > > response header > > 1) Document.domain is an abomination. We certainly don't want more > features like that. > > 2) There's a race condition in such a "default insecure" approach: the > excluded paths can just XSS the page before it opts in to tighter > security.
I also wrote: > > My chain of thoughts is something like below (this > > is just a general picture so don't take it too > > literally): so please feel welcome to provide alternatives instead of just killing the provided analogies. But more interesting is, are you saying that it is not possible, under any circumstance, to design a secure opt-in mechanism in this case? My belief was that security information delivered before the actual document contents (like a response header) could activate the desired security level before creation of the related JS context. Best regards Mike
