W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: CORS Background slides

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 4 Nov 2009 21:05:21 -0800
Message-ID: <63df84f0911042105v757f95f8ta8204a8f6b44b491@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: Tyler Close <tyler.close@gmail.com>, WebApps WG <public-webapps@w3.org>
On Wed, Nov 4, 2009 at 6:04 PM, Maciej Stachowiak <mjs@apple.com> wrote:
>
> I forgot to mention another shared secret management risk with the proposed
> GuestXHR-based protocol. The protocol involves passing the shared secret in
> URLs, including URLs that will appear in the browser's URL field. URLs
> should not be considered confidential - there have a high tendency to get
> inadvertently exposed to third parties. Some of the ways this happens
> include caching layers, the browser history (particularly shared sync of the
> browser history), and users copying URLs out of the URL field without
> considering whether this particular URL contains a secret.
>
> I believe this can be fixed by always transmitting the shared secret in the
> body of an https POST rather than as part of the URL, so this risk is not
> intrinsic to this style of protocol.

What about headers? We could allocate a specific header which is
allowed to be set for cross site requests.

/ Jonas
Received on Thursday, 5 November 2009 05:06:20 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT