W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Client-side cross origin

From: William Edney <bedney@technicalpursuit.com>
Date: Tue, 11 May 2010 12:40:44 -0500
Message-Id: <E69F46F1-6626-456B-AFC5-E5FD2B1DAAC8@technicalpursuit.com>
To: public-webapps <public-webapps@w3.org>
All -

As a longtime developer of client-side Web applications, I have longed for such a mechanism that would allow the user to explicitly opt-in to allow cross-origin access.

This access would be:

* explicit opt-in
* per site

I can imagine a user scenario thusly:

- User loads page from SiteA
- Page from SiteA tries to access a 'web service' on SiteB.
- Browser prompts user and says "This page would like to access a service on <SiteB>".
- If user approves, the browser allows the cross-origin request.
- Security as far as SiteB is concerned should be implemented by SiteB... it is SiteB's responsibility for having made such a service available on the web. The browser may assist by passing along credential information, etc. of the current user to SiteB. In any case, SiteB has no additional configuration to do like is currently required with CORS. As far as SiteB is concerned, this call could be coming from another server - as long as the login/security credentials prove out, it doesn't matter.

Right now, Mozilla via signed scripts and IE via a popup dialog (not XDomain request here - the old 'cross-origin' stuff IE has) provide some measure of cross-origin access from the browser side. Chrome, via an extension, allows cross-origin and so does Mozilla.

The problem with Mozilla's current signed script solution is that it is cumbersome, doesn't give the user enough information and is going away in future Mozilla releases. It also provides no credential information to the server being called.

The problem with IE's non-XDomain solution is that it also gives the user very little information other than 'a cross-site request is being made' and also provides no credential information to the server being called.

The problem with Mozilla's and Chrome's extension version is that its an additional install for users of the page in question and also provide no credential information to the server being called.

So far, CORS is the most widely implemented standard, but has the unfortunate side effect of requiring additional server-side configuration over and above whatever security mechanisms the service vendor (i.e. SiteB in this scenario) has had to configure to make their service available on the Web in the first place.

My feeling is that there is a 'pure client side' solution here and that specifying this sort of capability is within the purview of this group.

Thoughts?

Cheers,

- Bill

On May 11, 2010, at 8:53 AM, Boris Zbarsky wrote:
> 
> That's a different situation.  That would require explicit opt-in from the user.  In fact, imo it would require explicit opt-in to even see the question being asked.
> 
> -Boris
> 
Received on Tuesday, 11 May 2010 17:41:22 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT