The subject matter discussed in the background section should not be assumed to be prior art merely as a result of its mention in the background section. Similarly, a problem mentioned in the background section or associated with the subject matter of the background section should not be assumed to have been previously recognized in the prior art. The subject matter in the background section merely represents different approaches, which in and of themselves may also be inventions.
Domains that allow others to upload information can be subjected to many different forms of attack. One such attack is Cross Site Scripting (XSS) in which malicious code is introduced into a domain and from there can operate on a user's applications and an organization's data. Many web browsers reduce the impact and effectiveness of such attacks using a same-origin policy. The same-origin policy prevents attacks from a first domain from capturing valuable information from a second domain, such as a session cookie. With a session cookie, the XSS attack can gain access to the second domain and affect or obtain information in the second domain.
In some cases, network service providers use different domains for different services. However, authentication is not always maintained throughout all of the domains. For example, some network service providers serve user uploaded content, such as images and video, from a separate domain, but do so using the authentication from the primary domain. As a result, anyone with a link to content (for example, an image) on the content domain can access it without having to authenticate into the main domain or the content domain.
For example, in Facebook, as currently constituted, a friend's profile picture may be served from a separate domain, but to access the profile picture there is no authentication required. Authentication only protects the link. Anyone with a link to the picture URL can view it, even if they are not logged into Facebook and even if they do not have the right permissions. This type of structure allows an attack to harvest links in one domain and then use them in the other without any need to create a session or authenticate in either domain.