[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Maciej Stachowiak mjs at apple.com
Mon Sep 29 21:33:24 PDT 2008


On Sep 28, 2008, at 3:32 AM, Robert O'Callahan wrote:

> On Sun, Sep 28, 2008 at 10:52 PM, Michal Zalewski <lcamtuf at dione.cc>  
> wrote:
> other browsers are getting cross-domain XMLHttpRequest headers
>
> Using the W3C Access Controls spec, which I am suggesting to reuse  
> here. If you're not familiar with that spec, it's here: http://www.w3.org/TR/access-control/
>
> Now consider that "I-Do-Not-Want-To-Be-Loaded-Across-Domains" is  
> also inherently incompatible with mashups, content separation,  
> gadgets, etc, and there is a very vocal group of proponents and  
> promotors for these technologies (which is why browser vendors are  
> implementing cross-domain XMLHttpRequest to begin with). So we would  
> probably rather want to say "I-Want-To-Be-Loaded-Only-By:  
> <list_of_domains>".
>
> I'm suggesting just reusing the Access Controls spec for that.
>
> So for example, the server could say:
> Same-Origin-Only-Unless-Access-Controls-Says-Otherwise: yes
> Access-Control-Allow-Origin: http://example.com

I think this is a really good proposal. It would allow Web sites to  
place all content under a single uniform policy for access control, as  
opposed to the state today where cross-site access depends on how the  
resource is embedded.

Would "Require-Access-Control" be an adequate synonym for "Same-Origin- 
Only-Unless-Access-Controls-Says-Otherwise", on the assumption that  
same-origin access always satisfies access control?

Regards,
Maciej

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080929/55b23fae/attachment-0001.htm>


More information about the whatwg mailing list