[whatwg] origin+path namespacing and security
Anne van Kesteren
annevk at opera.com
Fri Aug 28 00:34:04 PDT 2009
On Fri, 28 Aug 2009 09:29:55 +0200, Adam Barth <whatwg at adambarth.com>
wrote:
> On Fri, Aug 28, 2009 at 12:25 AM, Mike Wilson<mikewse at hotmail.com> wrote:
>> I see what you mean. The ideal thing would be if we
>> could implement path-based security with the same
>> construct that adds path-based namespacing.
>>
>> I realize the problem of backwards-compat, but have
>> there been any efforts or definitive conclusions made
>> in this area?
>
> I suspect the scheme+host+port model is too entrenched at this point
> to add +path to the origin tuple.
Note also that someone on /evilpath/ can simply inject an <iframe> loading
/targetpath/ and extract cookies from there via ECMAScript or initiate
requests from there, etc. Paths cannot be trusted to provide security.
(Maybe the specification should point that out.)
--
Anne van Kesteren
http://annevankesteren.nl/
More information about the whatwg
mailing list