W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: several messages

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 18 Apr 2006 17:14:22 +0000 (UTC)
To: Ian Davis <ian.davis@talis.com>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, public-webapi@w3.org
Message-ID: <Pine.LNX.4.62.0604181706340.21459@dhalsim.dreamhost.com>

On Tue, 18 Apr 2006, Ian Davis wrote:
> On 18/04/2006 00:12, Ian Hickson wrote:
> >    Access check: If there are response headers with the name
> >    "Content-Access-Control", then they must have their values parsed
> >    as the data part of an <?access-control?> PI.
> 
> My concern with this security model is that it doesn't prevent malicious 
> scripts injected into a site from calling back to a host.

As Bjoern pointed out, it is already trivially possible to do this both 
for GET and POST requests, which are the only requests that I propose to 
allow without a pre-flight check.


> I propose a simpler solution that allows hosts to declare their 
> membership of cross-site scripting domains so that any host serving up 
> scripts can restrict the scope of that script's actions.

I'm not sure that's simpler, but more importantly, I would suggest that is 
out of scope for this specification. You may be interested in work that 
Gervase Markham has been doing on this topic:

   http://www.gerv.net/security/content-restrictions/

...as well as discussions of a <sandbox> element in the WHATWG list, e.g.:

   http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2005-December/005294.html

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 18 April 2006 17:14:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT