XSS and sub-domains

Ask for help about NoScript, no registration needed to post
Post Reply
erosman

XSS and sub-domains

Post by erosman »

Hi

Many sites use sub-domains for precessing their content management.

While there are occasions that some sub-domains many not be as closely related, often the case is that they are part of the same site.

I came across a situation where NoScript blocked sub-domains as XSS. (a.site.com -> b.site.com)
Wouldn't it be more logical to treat sub-domains as being part of the same domain?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Top
barbaz
Senior Member
Posts: 11163
Joined: Sat Aug 03, 2013 5:45 pm

Re: XSS and sub-domains

Post by barbaz »

No, because there exist domains like blogspot.com and cloudfront.net where the subdomain owners are actually different people/corporations/entities, and in such cases it's possible that one could deliberately and maliciously try to XSS another.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26
Top
Post Reply

Return to “NoScript Support”