InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

XSS and sub-domains

https://forums.informaction.com/viewtopic.php?t=19625

Page 1 of 1

XSS and sub-domains

Posted: Sat May 03, 2014 11:15 am
by erosman
Hi

Many sites use sub-domains for precessing their content management.

While there are occasions that some sub-domains many not be as closely related, often the case is that they are part of the same site.

I came across a situation where NoScript blocked sub-domains as XSS. (a.site.com -> b.site.com)
Wouldn't it be more logical to treat sub-domains as being part of the same domain?

Re: XSS and sub-domains

Posted: Sat May 03, 2014 4:21 pm
by barbaz
No, because there exist domains like blogspot.com and cloudfront.net where the subdomain owners are actually different people/corporations/entities, and in such cases it's possible that one could deliberately and maliciously try to XSS another.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited