[whatwg] ContextAgnosticXmlHttpRequest: an informal RFC
Ian Hickson
ian at hixie.ch
Tue Mar 8 16:30:19 PST 2005
On Tue, 8 Mar 2005, Chris Holland wrote:
>
> http://chrisholland.blogspot.com/2005/03/contextagnosticxmlhttprequest-informal.html
>
> I'm basically looking to enable some sort of cross-host *and*
> cross-domain interoperability between documents via a modified clone of
> the XmlHttpRequest object, while attempting to tread very carefully on
> various security issues, such as Cookies and Basic-Auth credentials. A
> "ContextAgnosticXmlHttpRequest" would be a new object developers could
> use, beyond the traditional XmlHttpRequest.
One security problem with the above suggestion is that if you have a
scenario where host H is accessed by a user U which is behind a corporate
firewall, and behind that firewall are otherwise unprotected servers
hosting sensitive information, you just gave hostile host H access to all
that sensitive data.
The only real solution I can see is to have the remote server somehow opt
in to being able to serve pages from any other site. I've been brain-
storming possible ways to allow this kind of thing in:
http://whatwg.org/specs/web-apps/current-work/#network
...but nothing currently there should be considered even remotely finished
yet (or even representative of what I'm currently thinking, it's really
just a scratchpad).
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list