[whatwg] Cross Domain Policies

Jim Ley jim.ley at gmail.com
Sun Jul 25 11:48:26 PDT 2004


On Sat, 24 Jul 2004 14:05:03 -0200, Doron Rosenberg <doronr at gmail.com> wrote:
> Back at Netscape, when we were working on Mozilla's web services
> support, we introduced a security model where a web services hosting
> domain can allow cross domain calls to it, controlled via an XML file
> (read more at http://lxr.mozilla.org/mozilla/source/extensions/webservices/docs/New_Security_Model.html).

Aswell as Malcolm's concerns with practicality of this, I have pretty
significant concerns about the security of it - as it takes the
security completely out of the hands of the user.

If my bank makes a mistake and provides its web-service available to
random domains there's nothing I can do to, to either be aware of it,
or presumably disable it on an individual basis.

I'm really quite alarmed by this approach in fact, How do I disable it
(or if not it all SOAP) in My FireFox please, I can't seem to see the
menu option.  Also can you please put a great big security warning on
the "What's new" that clarifies and explains exactly what these new
"security models" are - as most people have the expectation that UA's
are consistent and don't suddenly give their browsers new security
dangerous abilities they don't tell anyone about!

Jim.


More information about the whatwg-whatwg.org mailing list