W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

[Bug 11835] New: Please do *not* require a same-origin restriction in user agents (as currently specified under "Security Considerations")! This cross-origin data leakage security issues have already been addressed by the CORS specification (http://www.w3.org/TR/cors/).

From: <bugzilla@jessica.w3.org>
Date: Fri, 21 Jan 2011 19:07:57 +0000
To: public-webapps@w3.org
Message-ID: <bug-11835-2927@http.www.w3.org/Bugs/Public/>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=11835

           Summary: Please do *not* require a same-origin restriction in
                    user agents (as currently specified under "Security
                    Considerations")!  This cross-origin data leakage
                    security issues have already been addressed by the
                    CORS specification (http://www.w3.org/TR/cors/).
           Product: WebAppsWG
           Version: unspecified
          Platform: Other
               URL: http://www.whatwg.org/specs/web-apps/current-work/#top
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Server-Sent Events (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: contributor@whatwg.org
         QAContact: member-webapi-cvs@w3.org
                CC: mike@w3.org, public-webapps@w3.org


Specification: http://dev.w3.org/html5/eventsource/
Section: http://www.whatwg.org/specs/web-apps/current-work/complete.html#top

Comment:
Please do *not* require a same-origin restriction in user agents (as currently
specified under "Security Considerations")!  This cross-origin data leakage
security issues have already been addressed by the  CORS specification
(http://www.w3.org/TR/cors/).  EventSource should simply adopt the policies
outlined there.

I consider this a critical flaw, as cross-domain requests are essential to
working around useragent connection limits.  Unless this is addressed,
developers will simply ignore native useragent implementations and write their
own, XHR+CORS-based, APIs (as they're already doing.)  This spec will be
nothing more than tepid inspiration for those 3rd-party solutions, and ignored
otherwise.

Posted from: 66.220.144.74

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Received on Friday, 21 January 2011 19:07:59 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:43 GMT