[whatwg] Lifting cross-origin XMLHttpRequest restrictions?

Michal Zalewski lcamtuf at coredump.cx
Sat Mar 13 17:58:37 PST 2010

> As suggested above, could a header be required on compliant browsers to send
> a header along with their request indicating the originating server's
> domain?

Yes, but it's generally a bad practice to release new features that
undermine the security of existing systems, and requiring everybody to
change their code to account for the newly introduced vectors.

Theoretically, GET or OPTIONS should have no side effects, so DoS
potential aside, they could be permitted with no special security
checks. In practice, much of the Internet uses GET for state-changing
actions; or nominally uses POSTs, but does not differentiate between
the two in any specific way; plus, the problem of IP auth / Intranet
probing remains.

Bottom line is, opt-in is offered in several other places; and opt-out
solution seems unlikely at this point, I would think?


More information about the whatwg mailing list