W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: (XMLHttpRequest 2) Second proposal for cross-site extensions to XMLHttpRequest

From: Ian Davis <ian.davis@talis.com>
Date: Tue, 18 Apr 2006 11:36:34 +0100
Message-ID: <4444C132.9040903@talis.com>
To: Ian Hickson <ian@hixie.ch>
CC: public-webapi@w3.org

On 18/04/2006 00:12, Ian Hickson wrote:
>    Access check: If there are response headers with the name
>    "Content-Access-Control", then they must have their values parsed
>    as the data part of an <?access-control?> PI.

My concern with this security model is that it doesn't prevent malicious 
scripts injected into a site from calling back to a host. For example I 
can set up a server to allow requests from all then contrive to inject a 
script via a broken forum that sends account details back to my server. 
The current cross-domain scripting rules prevent this.

I propose a simpler solution that allows hosts to declare their 
membership of cross-site scripting domains so that any host serving up 
scripts can restrict the scope of that script's actions.

When serving the script the originating host should issue a 
Scripting-Domain response header consisting of a comma-delimited list
of tokens. Before issuing any request to a third-party host the send() 
method must first issue a HEAD request to the given URI. If the 
third-party host includes a Scripting-Domain response header and any of 
the tokens in this header match any of the tokens in the originating 
host's Scripting-Domain header then the send() method should proceed 
with the request, otherwise it must act as if there had been a 
network-level failure.

The XHR object must not send the originating host's tokens to any other 
host. The tokens can be generated based on any suitable algorithm, it's 
up to the originating host to coordinate with third-party hosts for 
token meaning.

Ian
Received on Tuesday, 18 April 2006 10:36:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT