W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: HTTP access control confusion

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 30 Jul 2010 22:28:50 +0200
To: Douglas Beck <dbeck@mail.ucf.edu>
Cc: public-webapps@w3.org, Jared <jslang@mail.ucf.edu>
Message-ID: <bfc656t49968r3pkvhgm8cvsnvhqdd0vck@hive.bjoern.hoehrmann.de>
* Douglas Beck wrote:
>I create domain-a.com and I want to make an ajax request to 
>domain-b.com.  A preflight request is made to domain-b, domain-b 
>responds with if it is safe to send the request.
>
>Does it not make more sense for me (the author of domain-a) to define 
>the security policy of my website?  I know each and every request that 
>should be made on my site and can define a list of all acceptable 
>content sources.  If the preflight request is made to domain-a (not 
>domain-b) then the content author is the source of authority.

How the domains interact with each other is their business, the question
is whether the user wants his browser to act as proxy for communication
between those domains, in your case, whether he is okay with letting the
domain domain-a impersonate you when communicating with domain-b. As an
example, university networks are often configured to deny access to some
resources from outside the network, but grant access to anyone within
the network. If you can trick someone within the network to access your
site, you would inherit their privileges inside the university network.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Friday, 30 July 2010 20:29:22 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT