W3C home > Mailing lists > Public > public-appformats@w3.org > December 2007

Re: Comments on: Access Control for Cross-site Requests

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 20 Dec 2007 12:56:09 +0100
To: "Close, Tyler J." <tyler.close@hp.com>, "public-appformats@w3.org" <public-appformats@w3.org>
Message-ID: <op.t3mt3va564w2qv@annevk-t60.oslo.opera.com>

On Thu, 20 Dec 2007 02:17:29 +0100, Close, Tyler J. <tyler.close@hp.com>  
> There is also a significant factual error in the document's Introduction:
> """
> However, it is not possible to exchange the contents of resources or  
> manipulate resources "cross-domain".
> """
> It *is* possible to manipulate resources "cross-domain". An HTML page  
> can contain a FORM which submits an HTTP request "cross-domain".  
> Submission of this request can be automated using Javascript. The Same  
> Origin Policy only prevents the HTML page from accessing the response to  
> the issued request. Manipulation is allowed. Only responses are  
> protected, not requests.

Ian already replied to your earlier comment. I believe the introduction is  
"fixed" in the editor's draft:  

> Below are comments from Doug Crockford:
> [...] I believe there are more elegant and reliable approaches to  
> providing a safe alternatives to the script tag hack.

I'd be interested in hearing about such a proposal.

Anne van Kesteren
Received on Thursday, 20 December 2007 11:54:39 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:08 UTC