Comments on: Web 2.0 and “Defense in Depth” http://www.gdssecurity.com/l/b/2008/04/24/web-20-and-%e2%80%9cdefense-in-depth%e2%80%9d/ Gotham Digital Science Security Blog Wed, 01 Sep 2010 06:49:07 +0000 http://wordpress.org/?v=abc hourly 1 By: Elvina http://www.gdssecurity.com/l/b/2008/04/24/web-20-and-%e2%80%9cdefense-in-depth%e2%80%9d/comment-page-1/#comment-196 Elvina Tue, 28 Oct 2008 16:16:40 +0000 http://www.gdssecurity.com/l/b/2008/04/24/web-20-and-%e2%80%9cdefense-in-depth%e2%80%9d/#comment-196 Good post. Good post.

]]> By: Brian Holyfield http://www.gdssecurity.com/l/b/2008/04/24/web-20-and-%e2%80%9cdefense-in-depth%e2%80%9d/comment-page-1/#comment-54 Brian Holyfield Fri, 25 Apr 2008 15:09:40 +0000 http://www.gdssecurity.com/l/b/2008/04/24/web-20-and-%e2%80%9cdefense-in-depth%e2%80%9d/#comment-54 Excellent point that is worthy of expanding on. The SRC of the un-trusted IFrame should come from a separate domain so that the browser enforces the cross-domain security policy. This means that if you are not pulling the IFRAME SRC directly from another domain, you'll need to create a separate domain for serving the un-trusted content from. The separate domain can be a sub-domain, as long as you haven't changed the "document.domain" value of your page to be the parent domain (allowing other sites within your domain to circumvent the same origin security policy). If you have done this, then you may need to set up a totally different "dirty" domain to serve the un-trusted content from. Excellent point that is worthy of expanding on. The SRC of the un-trusted IFrame should come from a separate domain so that the browser enforces the cross-domain security policy. This means that if you are not pulling the IFRAME SRC directly from another domain, you’ll need to create a separate domain for serving the un-trusted content from.

The separate domain can be a sub-domain, as long as you haven’t changed the “document.domain” value of your page to be the parent domain (allowing other sites within your domain to circumvent the same origin security policy). If you have done this, then you may need to set up a totally different “dirty” domain to serve the un-trusted content from.

]]> By: John Ther http://www.gdssecurity.com/l/b/2008/04/24/web-20-and-%e2%80%9cdefense-in-depth%e2%80%9d/comment-page-1/#comment-53 John Ther Fri, 25 Apr 2008 06:47:56 +0000 http://www.gdssecurity.com/l/b/2008/04/24/web-20-and-%e2%80%9cdefense-in-depth%e2%80%9d/#comment-53 I think it's important to clear up that seperated Iframe should be called from a different (sub)domain otherwise it's not gonna change anything in the DOM level. Because any Iframe within the same domain can access to parent. I think it’s important to clear up that seperated Iframe should be called from a different (sub)domain otherwise it’s not gonna change anything in the DOM level. Because any Iframe within the same domain can access to parent.

]]>