[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
David-Sarah Hopwood
david-sarah at jacaranda.org
Thu Jul 9 16:53:22 EDT 2009
stay wrote:
> On Wed, Jul 8, 2009 at 12:37 PM, David-Sarah
> Hopwood<david-sarah at jacaranda.org> wrote:
>> stay wrote:
>>> On Mon, Jul 6, 2009 at 2:53 PM, Karp, Alan H<alan.karp at hp.com> wrote:
>>>> To your first point above, can the software making the request be a script
>>>> on a page or a browser plug-in? If so, what prevents Bob's Finance from
>>>> delivering to the user's browser software that will make requests as Acme Finance?
>>>
>>> The fact that almost no one installs plugins.
>>
>> That's not true. They install Flash, and Flash ActionScript code can make
>> such requests.
>
> Flash communication is bound by the same-domain rules unless the
> target server explicitly makes an exception via crossdomain.xml or (if
> the target of the request is a flash file) the allowDomain() function.
OK, I stand corrected (although I note that Flash has had many exploitable
security vulnerabilities).
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the cap-talk
mailing list