darin at meer.net
Mon Mar 13 11:12:46 PST 2006
Gervase Markham wrote:
> Darin Fisher wrote:
>> Backing up a second, I think what we need is a way to grant websites the
>> ability to control who may access their resources. It'd be ideal if the
>> browser had a way to ask the server for the list of hosts (or domains)
>> that are permitted to access it. I don't think this is a new idea as
>> several specifications have been attempted along these lines. Mozilla
>> even implements one of them for its SOAP and WSDL implementation.
> My idea for that (bit of a one-track mind, me) was a Use-Domain: HTTP
> header. The JSON data would be served with "Use-Domain:
> www.mydomain.com", and the browser would refuse to give any page not
> from that domain access to the data.
> You could also use it to prevent image bandwidth stealing.
Keep in mind that there is also the problem that the POST request may
have undesirable side-effects. The web app probably needs a request
header from the browser to tell it what domain is sending it data. The
Referer header is not sufficient since the browser will not send a HTTPS
referrer-URI over plaintext.
We need to restrict READs as well as WRITEs when it comes to XSS ;-)
More information about the whatwg