[whatwg] Caching offline Web applications
Dave Camp
dave.camp at gmail.com
Tue Oct 21 14:24:24 PDT 2008
On Tue, Oct 21, 2008 at 12:47 PM, Ian Hickson <ian at hixie.ch> wrote:
> On Tue, 21 Oct 2008, Dave Camp wrote:
>> On Fri, Oct 17, 2008 at 6:36 PM, Ian Hickson <ian at hixie.ch> wrote:
>> > Summary of changes:
>>
>> > * Made application caches scoped to their browsing context, and allowed
>> > iframes to start new scopes. By default the contents of an iframe are
>> > part of the appcache of the parent, but if you declare a manifest, you
>> > get your own cache.
>>
>> Should this inheritance be subject to the same origin restriction
>> enforced while selecting a cache during navigation?
>
> The same-origin restriction is intended to prevent people from setting up
> their manifests such that another site will stop being fetched from the
> net. In an iframe, the risk isn't present, since you have to go to the
> evil site in the first place, and it has to explicitly pick the victim
> site in an iframe. Since you can't tell what the URL of the victim iframe
> content is anyway, there's no practical difference between it being on a
> remote site or the same site, as far as i can tell.
>
> No?
Yeah, but it does let an evil site persist a potential dom-based xss
attack permanently. It still depends on you visiting the evil site
repeatedly, though.
-dave
More information about the whatwg
mailing list