[whatwg] Proposal for cross domain security framework

Frank Hellenkamp jonas at depagecms.net
Fri Jun 20 08:58:37 PDT 2008


> 1. Browser downloads a script from server A.
> 2. Script tries to connect to server B.
> 3. Browser looks up server B's IP-address.
> 4. Browser performs a reverse lookup of server B's IP-address and gets
> a host name for the server.
> 5. Browser looks up a special TXT record in the DNS record for Server
> B, which states each of the IP addresses/host names that can hosts
> scripts allowed to connect.
> 
> DNS records are cached multiple places (including at the local
> computer), so a DDOS attack attempting to take down DNS servers
> probably not succeed.

DNS-Server-Information is often not accessible for many hosts/shared hosts.

Adobe has some of the same Problems with the Adobe-Flash-Player.
They use a crossdomain.xml-file to provide policy-informations.

In the Flash Player 9,0,115,0 they introduced something like meta-policies:

http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_04.html

Probably worth a read, when we discuss this topic...


best regards,

frank hellenkamp

-- 
frank hellenkamp | interface designer
hasenheide 53 | 10967 berlin

+49.30.49 78 20 70 | tel
+49.173.70 55 781 | mbl
+49.1805.4002.243 912 | fax
jonas at depagecms.net | mail

http://depagecms.net

strnr 14/339/61587


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080620/75972535/attachment-0001.pgp>


More information about the whatwg mailing list