OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] Open Platform

On Mon, Dec 13, 2010 at 5:06 PM, Henri Sivonen <hsivonen@iki.fi> wrote:
> On Dec 13, 2010, at 06:30, Michael Kay wrote:
>> Security restrictions in terms of what resources are accessible are of course reasonable, though as far as I can see the cross-site-scripting rules seem to be about as relevant to the real threat model as the theatrical checks performed in airport security halls.
> Could you, please, elaborate? How is the Same-Origin Policy not relevant to the threat of information leakage when the browser has ambient authorization to access private data from another origin?

* Copy and paste
* proxy content through a machine under your control

Simple enough to get around for those concerns. Why does the browser
need to be the policeman, especially for XML that (other than some
huge document) cannot affect the user's session. With the 'ambient
authorization' you (the information leaker) at least know something
about the end user getting your content. With proxying or scraping,
you don't.

Laws exist that offer remedies to copyright infringement.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS