[whatwg] ContextAgnosticXmlHttpRequest: an informal RFC

Ian Hickson ian at hixie.ch
Tue Mar 8 16:30:19 PST 2005


On Tue, 8 Mar 2005, Chris Holland wrote:
> 
> http://chrisholland.blogspot.com/2005/03/contextagnosticxmlhttprequest-informal.html
> 
> I'm basically looking to enable some sort of cross-host *and* 
> cross-domain interoperability between documents via a modified clone of 
> the XmlHttpRequest object, while attempting to tread very carefully on 
> various security issues, such as Cookies and Basic-Auth credentials. A 
> "ContextAgnosticXmlHttpRequest" would be a new object developers could 
> use, beyond the traditional XmlHttpRequest.

One security problem with the above suggestion is that if you have a 
scenario where host H is accessed by a user U which is behind a corporate 
firewall, and behind that firewall are otherwise unprotected servers 
hosting sensitive information, you just gave hostile host H access to all 
that sensitive data.

The only real solution I can see is to have the remote server somehow opt 
in to being able to serve pages from any other site. I've been brain- 
storming possible ways to allow this kind of thing in:

   http://whatwg.org/specs/web-apps/current-work/#network

...but nothing currently there should be considered even remotely finished 
yet (or even representative of what I'm currently thinking, it's really 
just a scratchpad).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list