Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Dan Kaminsky (dandoxpara.com)
Date: Sun Sep 12 2010 - 18:56:28 CDT
The idea is the same as crossdomain.xml in flash -- content can
explicitly opt into being shared across domain boundaries.
Our real problem is that there's no way to know whether content is
generically available to the Internet, or just you because of IP
firewalling / cookies / whatnot. So we have to default to blocking
all cross domain reads, since that other domain might be hosting your
On Sun, Sep 12, 2010 at 7:43 PM, <paul.szabosydney.edu.au> wrote:
> One of my users asked me to install MathJax on my server.
> Reading installation instructions in
> I came across the following:
> ... Firefox's same-origin security policy for cross-domain scripting.
> Firefox's interpretation of the same-origin policy is more strict than
> most other browsers, and it affects how fonts are loaded with the
> font-face CSS directive. ...
> There is a solution to this, however, if you manage the server ...
> create a file called .htaccess that contains the following lines: ...
> Header set Access-Control-Allow-Origin "*"
> That would suggest that this same-origin policy can be defeated by
> settings on the "evil" server: the policy is not enforced, useless.
> Did I misunderstand something?
> (Does not really matter to me, am not planning on using that setting,
> but am wondering about Firefox workings.)
> Paul Szabo pszmaths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics University of Sydney Australia
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/