[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kfm-devel
Subject:    Re: Possible security problem in KHTML or KMail?
From:       Ilya Konstantinov <kfm-devel () future ! shiny ! co ! il>
Date:       2001-10-11 18:42:17
[Download RAW message or body]

On Thu, Oct 11, 2001 at 08:32:05PM +0200, Martijn Klingens wrote:
> I'd prefer Ilya's suggestion here: deny access between two frames that are 
> not using the same protocol (http/ftp/etc.) _and_ the same server. Maybe 
> filtering on protocol should be loosened a bit to make http/https 
> cross-references possible, but apart from that I mostly agree with Ilya's 
> suggestion.

This is not my suggestion - this is an essential part of Javascript -
the "Same Origin Policy":

http://developer.netscape.com/docs/manuals/js/client/jsguide/sec.htm

BTW, http vs. https is exactly the place where it shouldn't be loosened
up. An unsecure page shouldn't be able to read anything which was
delivered over a secure (possibly authenticated) channel.

[prev in list] [next in list] [prev in thread] [next in thread]