Wednesday, December 5th, 2007
In Cross Site Scripting Joy, Andrew Betts has taken the time to go into real detail on XSS and the fun and frolics that we have with the Same Origin Policy and beyond:
So the battle over XSS as a security problem has moved on from the same origin policy, but same origin remains a massive obstacle to development of useful non-malicious services, and thatâ€™s particularly true of Comet, because there are typically two servers involved in any comet setup: a web server like Apache, and a comet server like Meteor or Orbited.
There are essentially three choices for making these two servers play together:
- marry them: have one server that serves both your Comet connections and the standard ones (including any dynamically generated content);
- have a regular web server with a Comet server sitting in front of it, so all connections are made to the Comet server, and it proxies the non-comet connections to the web server;
- have both the Comet and the regular web server exposed to the web, and request applicable content from each one.
Andrew then decided to write a bunch of tests (38 in fact) to see how the SOP is implemented in various browsers, and ended up with the following thorough information:
Posted by Dion Almaer at 6:45 am