[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
Re: [xml-dev] Re: Javascript and plugging holes
- From: Henri Sivonen <hsivonen@iki.fi>
- To: "xml-dev@lists.xml.org List" <xml-dev@lists.xml.org>
- Date: Sun, 12 Dec 2010 19:26:46 -0800
On Dec 12, 2010, at 19:02, Kurt Cagle wrote:
> Sorry for the follow-up post here so soon after the other one, but I wanted to make a correction regarding cross domain XML.
>
> The cross domain issues of XML come about once that XML is inserted into the active DOM of a given document - if I were to load XML that contained inline JavaScript, for instance, into the DOM such that it was evaluated, then such XML would obviously be a security hole.
That's not *at all* what the Same-Origin restriction on XHR is about. The Same-Origin Policy isn't protecting the origin that uses XHR. It is protecting another origin that hosts XML from getting its confidential information leaked to the origin that uses XHR.
--
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
