[whatwg] Lifting cross-origin XMLHttpRequest restrictions?
ash at ashleysheridan.co.uk
Fri Mar 12 02:08:42 PST 2010
On Thu, 2010-03-11 at 23:50 -0800, Michal Zalewski wrote:
> > Servers are already free to obtain and mix in content from other sites, so
> I can see two reasons:
> 1) Users may not be happy about the ability for web applications to
> implement an unprecedented level of automation through their client
> (and using their IP) - for example, crawling the Intranet, opening new
> accounts on social sites and webmail systems, sending out spam.
> While there is always some ability for JS to blindly interact with
> third-party content, meaningful automation typically requires the
> ability to see responses, read back XSRF tokens, etc; and while
> servers may be used as SOP proxies, the origin of these requests is
> that specific server, rather than an assortment of non-consenting
> The solution you propose - opt-out - kinda disregards status quo, and
> requires millions of websites to immediately deploy workarounds, or
> face additional exposure to attacks. For opt-in, you may want to look
> at UMP: http://www.w3.org/TR/2010/WD-UMP-20100126/ (or CORS, if you do
> not specifically want anonymous requests).
> 2) It was probably fairly difficult to "sandbox" requests fully so
> that they are not only stripped of cookies and cached HTTP
> authentication, but also completely bypass caching mechanisms
> (although UMP aims to achieve this).
Potentially you're entering a whole world of problems. Not only would
all the browsers have to sandbox, but every single plugin that a browser
uses. Think of the way Flash has it's own method of storing potentially
sensitive cookie-like data on the clients machine, which the browser has
no control of. You're looking at a massive task just there.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the whatwg