W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Mark S. Miller <erights@google.com>
Date: Mon, 8 Jun 2009 18:39:19 -0700
Message-ID: <4d2fac900906081839k4022271cu670d5871e1cad7e9@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Tyler Close <tyler.close@gmail.com>, Anne van Kesteren <annevk@opera.com>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Mon, Jun 8, 2009 at 5:25 PM, Jonas Sicking <jonas@sicking.cc> wrote:

> On Mon, Jun 8, 2009 at 2:33 PM, Tyler Close<tyler.close@gmail.com> wrote:
> >
> > Right, there is also a need for same origin requests without
> > credentials. For example, an advertisement on a social networking site
> > could be able to send requests to the social networking site, just not
> > under the user's credentials.
> >
> > I believe something like the following would satisfy the feature request:
> >
> > constructor: XMLHttpRequest()
> > credentials: by default only back to same origin
> >
> > constructor: GuestXMLHttpRequest()
> > credentials: no user credentials to any origin, including the same origin
>
> But if there's a third-party script, say from a advertisement, running
> in your page, what's to prevent that script from instantiating an
> object that does send credentials?
>

This use-case was the motivation for ADsafe, though any of the JavaScript
sanitizers would do.

Without some such sanitization technology, it remains unsafe to load
untrusted ads directly on your page. Adam and I are still arguing fine
points of just how unsafe, but there's no question that the answer is at
least "too unsafe".

With GuestXMLHttpRequest, such sanitized ads could be allowed to call home
safely without being able to impersonate their containing page's origin.

-- 
   Cheers,
   --MarkM
Received on Tuesday, 9 June 2009 01:39:56 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT