[whatwg] origin+path namespacing and security

Adam Barth whatwg at adambarth.com
Fri Aug 28 01:50:51 PDT 2009


On Fri, Aug 28, 2009 at 1:41 AM, Mike Wilson<mikewse at hotmail.com> wrote:
> - this mechanism needs a way to specify the blessed path,
>  maybe something along the lines of document.domain or a
>  response header

1) Document.domain is an abomination.  We certainly don't want more
features like that.

2) There's a race condition in such a "default insecure" approach: the
excluded paths can just XSS the page before it opts in to tighter
security.

Adam


More information about the whatwg mailing list