[whatwg] ContextAgnosticXmlHttpRequest: an informal RFC
Jim Ley
jim.ley at gmail.com
Wed Mar 9 00:57:12 PST 2005
On Tue, 8 Mar 2005 19:09:43 -0800, Chris Holland <frenchy at gmail.com> wrote:
> Well, the value of the Referrer header i'm talking about in this case,
> would always be the URI of the document originating the
> ContextAgnosticXmlHttpRequest, NOT the *document*'s referrer. Based on
> this requirement, i should be able to rely on this header to protect
> my service.
How do you know it's not just some random client with a refererrer
that happens to meet your idea of accurate. Even if implementors of
your version of the object were religiously accurate in following this
rule, no other HTTP implementation need do it.
> How about requiring from a service that it sets an extra HTTP header
> to offer its content to "foreign" hosts:
>
> X-Allow-Foreign-Host: All | None | .someforeigndomain.com |
> .somehost.someforeigndomain.com
This is a much better proposal than the stealing of URI's in my domain
to mean some special thing. We're already plagued by the Favicon bugs
in FireFox hammering our servers with requests for documents we never
defined
> all this, i believe, tends to bleed into your own idea of establishing
> some sort of trust relationship. To that end, I need to spend more
> time grokking 11.4 from your document. I think I'm getting there.
11.4 isn't particularly relevant surely? That's about Cross-document,
so both documents would need to exist on the client before any
communication could occur.
> I was basically trying to
> further limit the types of documents you could ever retrieve, to
> purely valid XML documents, so no random text or Tag Soup HTML
> document could be arbitrarily leeched.
Please don't have any solution that limits the user to XML, it's a
pointless arbritrary restriction that offers nothing but serious
performance hits to the client, and complications to the user.
Jim
More information about the whatwg
mailing list