W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] security issue with XMLHttpRequest API compatibility

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 7 Apr 2009 17:29:14 -0700
Message-ID: <63df84f0904071729l7bde13b7w4b661252d23f483@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps@w3.org
On Tue, Apr 7, 2009 at 4:16 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Tue, Apr 7, 2009 at 3:57 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>> My point is that having two APIs that are identical and intended to be
>> used for basically the same thing, except for that they use different
>> security models, is a security bug waiting to happen.
>
> So you do of course realize that this is exactly what the WG is
> currently proposing, right? Browser version X will have an XHR with
> one security model and browser version X+1 will have an identical XHR
> API with a different security model.

But it's for a limited time. In a few years hopefully all browsers
supports cross site XHR. And if you can already today follow the
advice that you should not rely on XHR not honoring your request just
because it's a cross site URI.

You are proposing a model where there's two types of XHR objects. One
where we specifically tell users that you can rely on the request
won't be sent cross site, and one where you can't.

/ Jonas
Received on Wednesday, 8 April 2009 00:30:04 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT