[whatwg] Lifting cross-origin XMLHttpRequest restrictions?

Ashley Sheridan ash at ashleysheridan.co.uk
Fri Mar 12 02:08:42 PST 2010

Previous message: [whatwg] Lifting cross-origin XMLHttpRequest restrictions?
Next message: [whatwg] Offscreen canvas (or canvas for web workers).
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2010-03-11 at 23:50 -0800, Michal Zalewski wrote:

> > Servers are already free to obtain and mix in content from other sites, so
> > why can't client-side HTML JavaScript be similarly empowered?
> 
> I can see two reasons:
> 
> 1) Users may not be happy about the ability for web applications to
> implement an unprecedented level of automation through their client
> (and using their IP) - for example, crawling the Intranet, opening new
> accounts on social sites and webmail systems, sending out spam.
> 
> While there is always some ability for JS to blindly interact with
> third-party content, meaningful automation typically requires the
> ability to see responses, read back XSRF tokens, etc; and while
> servers may be used as SOP proxies, the origin of these requests is
> that specific server, rather than an assortment of non-consenting
> clients.
> 
> The solution you propose - opt-out - kinda disregards status quo, and
> requires millions of websites to immediately deploy workarounds, or
> face additional exposure to attacks. For opt-in, you may want to look
> at UMP: http://www.w3.org/TR/2010/WD-UMP-20100126/ (or CORS, if you do
> not specifically want anonymous requests).
> 
> 2) It was probably fairly difficult to "sandbox" requests fully so
> that they are not only stripped of cookies and cached HTTP
> authentication, but also completely bypass caching mechanisms
> (although UMP aims to achieve this).
> 
> /mz


Potentially you're entering a whole world of problems. Not only would
all the browsers have to sandbox, but every single plugin that a browser
uses. Think of the way Flash has it's own method of storing potentially
sensitive cookie-like data on the clients machine, which the browser has
no control of. You're looking at a massive task just there.

Thanks,
Ash
http://www.ashleysheridan.co.uk


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100312/35752fd4/attachment-0002.htm>

Previous message: [whatwg] Lifting cross-origin XMLHttpRequest restrictions?
Next message: [whatwg] Offscreen canvas (or canvas for web workers).
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the whatwg mailing list