[whatwg] origin+path namespacing and security

Mike Wilson mikewse at hotmail.com
Fri Aug 28 02:17:36 PDT 2009


Adam Barth wrote:
> Mike Wilson<mikewse at hotmail.com> wrote:
> > - this mechanism needs a way to specify the blessed path,
> >  maybe something along the lines of document.domain or a
> >  response header
> 
> 1) Document.domain is an abomination.  We certainly don't want more
> features like that.
> 
> 2) There's a race condition in such a "default insecure" approach: the
> excluded paths can just XSS the page before it opts in to tighter
> security.

I also wrote:
> > My chain of thoughts is something like below (this 
> > is just a general picture so don't take it too 
> > literally):
so please feel welcome to provide alternatives instead 
of just killing the provided analogies.

But more interesting is, are you saying that it is not
possible, under any circumstance, to design a secure
opt-in mechanism in this case? My belief was that 
security information delivered before the actual 
document contents (like a response header) could 
activate the desired security level before creation of 
the related JS context.

Best regards
Mike




More information about the whatwg mailing list