[whatwg] origin+path namespacing and security

Anne van Kesteren annevk at opera.com
Fri Aug 28 00:34:04 PDT 2009

On Fri, 28 Aug 2009 09:29:55 +0200, Adam Barth <whatwg at adambarth.com>  
> On Fri, Aug 28, 2009 at 12:25 AM, Mike Wilson<mikewse at hotmail.com> wrote:
>> I see what you mean. The ideal thing would be if we
>> could implement path-based security with the same
>> construct that adds path-based namespacing.
>> I realize the problem of backwards-compat, but have
>> there been any efforts or definitive conclusions made
>> in this area?
> I suspect the scheme+host+port model is too entrenched at this point
> to add +path to the origin tuple.

Note also that someone on /evilpath/ can simply inject an <iframe> loading  
/targetpath/ and extract cookies from there via ECMAScript or initiate  
requests from there, etc. Paths cannot be trusted to provide security.  
(Maybe the specification should point that out.)

Anne van Kesteren

More information about the whatwg mailing list