OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] Re: Javascript and plugging holes

On Dec 12, 2010, at 19:02, Kurt Cagle wrote:

> Sorry for the follow-up post here so soon after the other one, but I wanted to make a correction regarding cross domain XML.
> The cross domain issues of XML come about once that XML is inserted into the active DOM of a given document - if I were to load XML that contained inline JavaScript, for instance, into the DOM such that it was evaluated, then such XML would obviously be a security hole. 

That's not *at all* what the Same-Origin restriction on XHR is about. The Same-Origin Policy isn't protecting the origin that uses XHR. It is protecting another origin that hosts XML from getting its confidential information leaked to the origin that uses XHR.

Henri Sivonen

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS