[whatwg] origin+path namespacing and security
Adam Barth
whatwg at adambarth.com
Fri Aug 28 01:50:51 PDT 2009
On Fri, Aug 28, 2009 at 1:41 AM, Mike Wilson<mikewse at hotmail.com> wrote:
> - this mechanism needs a way to specify the blessed path,
> maybe something along the lines of document.domain or a
> response header
1) Document.domain is an abomination. We certainly don't want more
features like that.
2) There's a race condition in such a "default insecure" approach: the
excluded paths can just XSS the page before it opts in to tighter
security.
Adam
More information about the whatwg
mailing list