[whatwg] Proposal for cross domain security framework

Frode Børli frode at seria.no
Fri Jun 20 04:52:21 PDT 2008

I have a proposal for a cross domain security framework that i think
should be implemented in browsers, java applets, flash applets and

The problem:
If browsers could connect freely to whichever IP-address they want,
then a simple ad on a highly popular website can be used to trigger
massive DDOS attacks or distributed brute force password attacks etc.

The challenge:
The owner of the server that receives incoming connections must be
able to decide who is able to connect.

The tools available:
The browser. The server. DNS servers.

The method:
The browser always know where it downloaded any given script or
applet. It also know which IP-address or host-name the script wants to
connect to. The browser should perform the following check to make
sure that the given script is allowed to connect:

1. Browser downloads a script from server A.
2. Script tries to connect to server B.
3. Browser looks up server B's IP-address.
4. Browser performs a reverse lookup of server B's IP-address and gets
a host name for the server.
5. Browser looks up a special TXT record in the DNS record for Server
B, which states each of the IP addresses/host names that can hosts
scripts allowed to connect.

DNS records are cached multiple places (including at the local
computer), so a DDOS attack attempting to take down DNS servers
probably not succeed.

What do you think?

Best regards,
Frode Børli
Seria AS, Norway

More information about the whatwg mailing list