W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

[cors] Possible need for a "Destination" Header

From: Mike Chack (mchack) <mchack@cisco.com>
Date: Mon, 16 Feb 2009 09:14:10 -0800
Message-ID: <7FE6845B1F8A264E9E03562D7EBB225C076029F2@xmb-sjc-22b.amer.cisco.com>
To: <public-webapps@w3.org>
Unless I am missing something, there seems to be a security hole with
the current proposal. If a site has been hacked then malicous code can
send content to any site that abides by the access control policies.  It
is up to the destination site to accept the request, and in the case of
a nefarious destination, would most certainly do so. Wouldn't it also
make sense to have some policy control from the origination site that
would limit where requests could be made. This could be done in the form
of a "Desitnation" Header that would give more control over where
XmlHttp requests could be directed. 

 

 

Mike Chack 
O: +1 408.526.4639 
M: +1 408.504.6594 
mchack@cisco.com 

 
Received on Tuesday, 17 February 2009 11:18:05 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT