[OpenAjaxSecurity] Fw: XHR: definition of same-origin

Jon Ferraiolo jferrai at us.ibm.com
Wed Sep 26 07:02:33 PDT 2007



There is a thread at the W3C about how to define same origin. I encourage
people to read through the discussion and make sure that nothing bad is
happening.

http://lists.w3.org/Archives/Public/public-webapi/2007Sep/

Jon

----- Forwarded by Jon Ferraiolo/Menlo Park/IBM on 09/26/2007 07:00 AM
-----
                                                                           
             "Anne van                                                     
             Kesteren"                                                     
             <annevk at opera.com                                          To 
             >                         "Boris Zbarsky" <bzbarsky at mit.edu>  
             Sent by:                                                   cc 
             public-webapi-req         "Maciej Stachowiak"                 
             uest at w3.org               <mjs at apple.com>, "Web API WG        
                                       (public)" <public-webapi at w3.org>    
                                                                   Subject 
             09/26/2007 06:56          Re: XHR: definition of same-origin  
             AM                                                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





On Wed, 26 Sep 2007 15:51:45 +0200, Boris Zbarsky <bzbarsky at MIT.EDU> wrote:
> Anne van Kesteren wrote:
>> Thanks. So it say the that the origin of the Document object associated

>> with the Window pointer is the origin of the request. With a reference
>> to HTML5 to see what the origin of such a Document object actually is.
>> Or should it simply be the origin of the script?
>
> Those are possibly different origins when someone is doing something
> like:
>
>    window.frames[0].XMLHttpRequest
>
> right?  I agree that it's important to decide which origin to use in
> this case.

Yes. If I get all this stuff correctly a script could be running on
bar.com using the XMLHttpRequest from another frame which is on
foo.bar.com. Depending on which definition is used it can either access
bar.com or foo.bar.com content (but not both), right?


--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070926/74d23898/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic27105.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070926/74d23898/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070926/74d23898/attachment-0001.gif 


More information about the security mailing list