[prev in list] [next in list] [prev in thread] [next in thread]
List: kfm-devel
Subject: Re: Possible security problem in KHTML or KMail?
From: Ilya Konstantinov <kfm-devel () future ! shiny ! co ! il>
Date: 2001-10-11 18:42:17
[Download RAW message or body]
On Thu, Oct 11, 2001 at 08:32:05PM +0200, Martijn Klingens wrote:
> I'd prefer Ilya's suggestion here: deny access between two frames that are
> not using the same protocol (http/ftp/etc.) _and_ the same server. Maybe
> filtering on protocol should be loosened a bit to make http/https
> cross-references possible, but apart from that I mostly agree with Ilya's
> suggestion.
This is not my suggestion - this is an essential part of Javascript -
the "Same Origin Policy":
http://developer.netscape.com/docs/manuals/js/client/jsguide/sec.htm
BTW, http vs. https is exactly the place where it shouldn't be loosened
up. An unsecure page shouldn't be able to read anything which was
delivered over a secure (possibly authenticated) channel.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic