[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Maciej Stachowiak
mjs at apple.com
Mon Sep 29 21:33:24 PDT 2008
On Sep 28, 2008, at 3:32 AM, Robert O'Callahan wrote:
> On Sun, Sep 28, 2008 at 10:52 PM, Michal Zalewski <lcamtuf at dione.cc>
> wrote:
> other browsers are getting cross-domain XMLHttpRequest headers
>
> Using the W3C Access Controls spec, which I am suggesting to reuse
> here. If you're not familiar with that spec, it's here: http://www.w3.org/TR/access-control/
>
> Now consider that "I-Do-Not-Want-To-Be-Loaded-Across-Domains" is
> also inherently incompatible with mashups, content separation,
> gadgets, etc, and there is a very vocal group of proponents and
> promotors for these technologies (which is why browser vendors are
> implementing cross-domain XMLHttpRequest to begin with). So we would
> probably rather want to say "I-Want-To-Be-Loaded-Only-By:
> <list_of_domains>".
>
> I'm suggesting just reusing the Access Controls spec for that.
>
> So for example, the server could say:
> Same-Origin-Only-Unless-Access-Controls-Says-Otherwise: yes
> Access-Control-Allow-Origin: http://example.com
I think this is a really good proposal. It would allow Web sites to
place all content under a single uniform policy for access control, as
opposed to the state today where cross-site access depends on how the
resource is embedded.
Would "Require-Access-Control" be an adequate synonym for "Same-Origin-
Only-Unless-Access-Controls-Says-Otherwise", on the assumption that
same-origin access always satisfies access control?
Regards,
Maciej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080929/55b23fae/attachment-0001.htm>
More information about the whatwg
mailing list