W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2006

Re: Extension methods & XMLHttpRequest

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sun, 11 Jun 2006 15:29:53 +0200
To: Jamie Lokier <jamie@shareable.org>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <fp5o82t8od57kf96vg9decppj2qnm1eeoq@hive.bjoern.hoehrmann.de>

* Jamie Lokier wrote:
>Are you sure it's possible to introduce new methods that have similar
>problems to TRACE and CONNECT?

Of course it is. There may be problems, but it certainly is possible.

>Relax XMLHttpRequest's constraints slightly to allow GET (only)
>requests to any domain, with the constraint that in this case it's not
>permitted to set arbitrary request headers or read most of the
>response headers.  (Reading "Content-Type" should be allowed).

Well, A is your client with a fixed IP, B grants access to A but no
one else, C wants data from B. To achieve that, you simply have to be
tricked into visiting a page on C, which is rather trivial. The only
way to prevent that is to deny (indirect) read access from C to A.

http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012 and
http://www.w3.org/TR/access-control/ might be interesting to you.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Sunday, 11 June 2006 13:30:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:44 GMT