• From: Henri Sivonen <hsivonen@i...>
• To: "xml-dev@l... List" <xml-dev@l...>
• Date: Sun, 12 Dec 2010 19:26:46 -0800

On Dec 12, 2010, at 19:02, Kurt Cagle wrote:

> Sorry for the follow-up post here so soon after the other one, but I wanted to make a correction regarding cross domain XML.
> 
> The cross domain issues of XML come about once that XML is inserted into the active DOM of a given document - if I were to load XML that contained inline JavaScript, for instance, into the DOM such that it was evaluated, then such XML would obviously be a security hole. 

That's not *at all* what the Same-Origin restriction on XHR is about. The Same-Origin Policy isn't protecting the origin that uses XHR. It is protecting another origin that hosts XML from getting its confidential information leaked to the origin that uses XHR.

-- 
Henri Sivonen
hsivonen@i...
http://hsivonen.iki.fi/

• References:
  • Javascript and plugging holes was: Cross-domain loading of XML
    • From: Stephen Green <stephengreenubl@g...>
  • Re: Javascript and plugging holes
    • From: Henri Sivonen <hsivonen@i...>
  • Re: Re: Javascript and plugging holes
    • From: Stephen Green <stephengreenubl@g...>
  • Re: Re: Javascript and plugging holes
    • From: Stephen Green <stephengreenubl@g...>
  • RE: Re: Javascript and plugging holes
    • From: "David Lee" <dlee@c...>
  • Re: Re: Javascript and plugging holes
    • From: Stephen Green <stephengreenubl@g...>
  • Re: Re: Javascript and plugging holes
    • From: "Simon St.Laurent" <simonstl@s...>
  • Re: Re: Javascript and plugging holes
    • From: Henri Sivonen <hsivonen@i...>
  • Re: Re: Javascript and plugging holes
    • From: Kurt Cagle <kurt.cagle@g...>