[whatwg] ContextAgnosticXmlHttpRequest: an informal RFC

Chris Holland frenchy at gmail.com
Wed Mar 9 22:57:56 PST 2005


Jim,

did you get a chance to go over this:
http://chrisholland.blogspot.com/2005/03/contextagnosticxmlhttprequest-informal.html
?

I've gone over a few use cases and security concerns in there, but
it's true I haven't developed privacy concerns surrounding the
Refer(r)er header. Here's an attempt at addressing this:

In hindsight, there could be a concern whereby, this time, the
document originating the ContextAgnosticXmlHttpRequest lives on an
intranet and decides to display a blog RSS feed that lives on the open
internet. If the Referer header is being sent along, the entity who
offers the RSS feed will see the exact URI for the requesting document
that lives behind the intranet. Then again, any document that lives on
an Intranet that links to an outside source or embeds an outside image
is also vulnerable to a similar issue.




On Wed, 9 Mar 2005 16:55:54 +0000, Jim Ley <jim.ley at gmail.com> wrote:
> On Wed, 9 Mar 2005 08:42:25 -0800, Chris Holland <frenchy at gmail.com> wrote:
> > On Wed, 9 Mar 2005 12:14:52 +0000, Jim Ley <jim.ley at gmail.com> wrote:
> >> Are you sure you're not advocating this to get around privacy based
> >> proxies of the type that normally disable such referrer based content
> >> so as to reliably block
> >> privacy invasions?
> >
> > well, if a proxy starts filtering out http headers sent by the client,
> > there isn't much we can do about that now is there. heh.
> 
> Who said anything about proxy?  You were requiring that a conformant
> gibberishName UA send the correct referrer header, that's something
> that many people, and many browsers currently do not want to do for
> valid privacy concerns.  Just saying "there's nothing we can do about
> those" when you've not really provided a use case for the information
> in the first place isn't a good way to go I think.
> 
> > thanks for the feedback! :)
> 
> The biggest problem is you've not provided use-cases, you've not
> provided any security analysis of your proposal, as it stands it's
> extremely inadequate.  Come up with some use-cases, and a real
> analysis of what extra features need to be added to make it secure,
> what impact it has on privacy etc.
> 
> Cheers,
> 
> Jim.
> 


-- 
Chris Holland
http://chrisholland.blogspot.com/



More information about the whatwg mailing list