W3C home > Mailing lists > Public > public-appformats@w3.org > February 2007

[ac] elaborate on data theft

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 02 Feb 2007 17:52:12 +0100
To: "WAF WG (public)" <public-appformats@w3.org>
Cc: member-accesscontrol-tf@w3.org
Message-ID: <op.tm4rtang64w2qv@id-c0020> 

The draft should probably explicitly indicate that's trying to solve the  
data theft problem. (As in, we don't allow cross-domain access because  
that might potentially expose information on intranets etc.) That other  
specifications using the machanism should forbid access to HTTP headers,  
cookies, etc. and that scripts, if any, should run in the same origin as  
that of the document that does the request. See also:

   http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Friday, 2 February 2007 16:52:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:21 GMT