W3C home > Mailing lists > Public > public-appformats@w3.org > December 2007

Re: Comments on: Access Control for Cross-site Requests

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 20 Dec 2007 12:56:09 +0100
To: "Close, Tyler J." <tyler.close@hp.com>, "public-appformats@w3.org" <public-appformats@w3.org>
Message-ID: <op.t3mt3va564w2qv@annevk-t60.oslo.opera.com>

On Thu, 20 Dec 2007 02:17:29 +0100, Close, Tyler J. <tyler.close@hp.com>  
wrote:
> There is also a significant factual error in the document's Introduction:
>
> """
> However, it is not possible to exchange the contents of resources or  
> manipulate resources "cross-domain".
> """
>
> It *is* possible to manipulate resources "cross-domain". An HTML page  
> can contain a FORM which submits an HTTP request "cross-domain".  
> Submission of this request can be automated using Javascript. The Same  
> Origin Policy only prevents the HTML page from accessing the response to  
> the issued request. Manipulation is allowed. Only responses are  
> protected, not requests.

Ian already replied to your earlier comment. I believe the introduction is  
"fixed" in the editor's draft:  
http://dev.w3.org/2006/waf/access-control/#introduction


> Below are comments from Doug Crockford:
>
> [...] I believe there are more elegant and reliable approaches to  
> providing a safe alternatives to the script tag hack.

I'd be interested in hearing about such a proposal.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Thursday, 20 December 2007 11:54:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:24 GMT