[whatwg] Cross Domain Policies

Jim Ley jim.ley at gmail.com
Sun Jul 25 11:48:26 PDT 2004


On Sat, 24 Jul 2004 14:05:03 -0200, Doron Rosenberg <doronr at gmail.com> wrote:
> Back at Netscape, when we were working on Mozilla's web services
> support, we introduced a security model where a web services hosting
> domain can allow cross domain calls to it, controlled via an XML file
> (read more at http://lxr.mozilla.org/mozilla/source/extensions/webservices/docs/New_Security_Model.html).

Aswell as Malcolm's concerns with practicality of this, I have pretty
significant concerns about the security of it - as it takes the
security completely out of the hands of the user.

If my bank makes a mistake and provides its web-service available to
random domains there's nothing I can do to, to either be aware of it,
or presumably disable it on an individual basis.

I'm really quite alarmed by this approach in fact, How do I disable it
(or if not it all SOAP) in My FireFox please, I can't seem to see the
menu option.  Also can you please put a great big security warning on
the "What's new" that clarifies and explains exactly what these new
"security models" are - as most people have the expectation that UA's
are consistent and don't suddenly give their browsers new security
dangerous abilities they don't tell anyone about!

Jim.



More information about the whatwg mailing list