[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Re: Javascript and plugging holes

• From: Henri Sivonen <hsivonen@iki.fi>
• To: "xml-dev@lists.xml.org List" <xml-dev@lists.xml.org>
• Date: Sun, 12 Dec 2010 19:26:46 -0800

On Dec 12, 2010, at 19:02, Kurt Cagle wrote:

> Sorry for the follow-up post here so soon after the other one, but I wanted to make a correction regarding cross domain XML.
> 
> The cross domain issues of XML come about once that XML is inserted into the active DOM of a given document - if I were to load XML that contained inline JavaScript, for instance, into the DOM such that it was evaluated, then such XML would obviously be a security hole. 

That's not *at all* what the Same-Origin restriction on XHR is about. The Same-Origin Policy isn't protecting the origin that uses XHR. It is protecting another origin that hosts XML from getting its confidential information leaked to the origin that uses XHR.

-- 
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/

• References:
  • Javascript and plugging holes was: Cross-domain loading of XML
    • From: Stephen Green <stephengreenubl@gmail.com>
  • Re: Javascript and plugging holes
    • From: Henri Sivonen <hsivonen@iki.fi>
  • Re: Re: Javascript and plugging holes
    • From: Stephen Green <stephengreenubl@gmail.com>
  • Re: Re: Javascript and plugging holes
    • From: Stephen Green <stephengreenubl@gmail.com>
  • RE: Re: Javascript and plugging holes
    • From: "David Lee" <dlee@calldei.com>
  • Re: Re: Javascript and plugging holes
    • From: Stephen Green <stephengreenubl@gmail.com>
  • Re: Re: Javascript and plugging holes
    • From: "Simon St.Laurent" <simonstl@simonstl.com>
  • Re: Re: Javascript and plugging holes
    • From: Henri Sivonen <hsivonen@iki.fi>
  • Re: Re: Javascript and plugging holes
    • From: Kurt Cagle <kurt.cagle@gmail.com>