- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Fri, 30 Jul 2010 22:28:50 +0200
- To: Douglas Beck <dbeck@mail.ucf.edu>
- Cc: public-webapps@w3.org, Jared <jslang@mail.ucf.edu>
* Douglas Beck wrote: >I create domain-a.com and I want to make an ajax request to >domain-b.com. A preflight request is made to domain-b, domain-b >responds with if it is safe to send the request. > >Does it not make more sense for me (the author of domain-a) to define >the security policy of my website? I know each and every request that >should be made on my site and can define a list of all acceptable >content sources. If the preflight request is made to domain-a (not >domain-b) then the content author is the source of authority. How the domains interact with each other is their business, the question is whether the user wants his browser to act as proxy for communication between those domains, in your case, whether he is okay with letting the domain domain-a impersonate you when communicating with domain-b. As an example, university networks are often configured to deny access to some resources from outside the network, but grant access to anyone within the network. If you can trick someone within the network to access your site, you would inherit their privileges inside the university network. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Friday, 30 July 2010 20:29:22 UTC