[WEB SECURITY] Isolating web applications under the same domain name
rcbarnett at gmail.com
Thu Dec 20 12:26:34 EST 2012
Perhaps issuing different CSP headers for the different paths (with
different policies) vs. only once then they hit your main index page.
From: Ahamed Nafeez <ahamednafeez at gmail.com>
Date: Thursday, December 20, 2012 5:50 AM
To: <websecurity at lists.webappsec.org>
Subject: [WEB SECURITY] Isolating web applications under the same domain
> Hi all,
> I was just wondering how could we isolate different web applications under
> the same domain name. Say my domain name is 'site.com <http://site.com> ' and
> I have my main web application running under "site.com/default/
> <http://site.com/default/> " . And let's say that I have an use case where I
> need to run a blog, so I might have another web application like say
> 'WordPress' running under ''site.com/blog <http://site.com/blog> ".
> Now how can I isolate these two with respect to client side security. I'm
> already aware that according to the same-origin policy I can have my blog
> running under a different sub-domain like, blog.site.com
> <http://blog.site.com> .
> But, let's assume that I don't get a chance to do that (isoalting based on
> different domain / sub-domains).
> One possible way is to set cookies with respect to path, but that can be
> eventually bypassed with an XSS in the vulnerable application by injecting the
> desired iFrame and reading from that.
> Is there a better way to isolate web applications under the same domain ?
> _______________________________________________ The Web Security Mailing List
> WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on
> LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter
> http://twitter.com/wascupdates websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity