[whatwg] JSONRequest

Darin Fisher darin at meer.net
Mon Mar 13 11:12:46 PST 2006


Gervase Markham wrote:
> Darin Fisher wrote:
>   
>> Backing up a second, I think what we need is a way to grant websites the
>> ability to control who may access their resources.  It'd be ideal if the
>> browser had a way to ask the server for the list of hosts (or domains)
>> that are permitted to access it.  I don't think this is a new idea as
>> several specifications have been attempted along these lines.  Mozilla
>> even implements one of them for its SOAP and WSDL implementation.
>>     
>
> My idea for that (bit of a one-track mind, me) was a Use-Domain: HTTP
> header. The JSON data would be served with "Use-Domain:
> www.mydomain.com", and the browser would refuse to give any page not
> from that domain access to the data.
>
> You could also use it to prevent image bandwidth stealing.
>
> Gerv
>   

Keep in mind that there is also the problem that the POST request may 
have undesirable side-effects.  The web app probably needs a request 
header from the browser to tell it what domain is sending it data.  The 
Referer header is not sufficient since the browser will not send a HTTPS 
referrer-URI over plaintext.

We need to restrict READs as well as WRITEs when it comes to XSS ;-)

-Darin



More information about the whatwg mailing list