W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Re: Cross-Origin Resource Embedding Restrictions

From: Nathan <nathan@webr3.org>
Date: Tue, 01 Mar 2011 20:33:04 +0000
Message-ID: <4D6D5800.9010904@webr3.org>
To: Anne van Kesteren <annevk@opera.com>
CC: WebApps WG <public-webapps@w3.org>
Anne van Kesteren wrote:
> http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html
> 
> And although it might end up being part of the Content Security Policy 
> work I think it would be useful if publish a Working Draft of this work 
> to gather more input, committing us nothing.
> 
> What do you think?

Half way there, I don't follow why a line of js invokes an "everything 
cross-origin blocked by default" security model, and a line of html 
invokes an "everything allowed by default" security model. Nor do I 
follow why "origin" isn't just sent as standard with every request and 
access controlled by the server based on origin (rather than controlled 
only "by user agents which choose to follow the specs" offering an 
artificial screen).

However, on this specific draft, is there any chance you can move to a 
white-list/black-list model, where people can send either Allow-Origin 
or Deny-Origin, for instance in many scenarios I want to allow everyone 
except origins A and B who I know consistently "steal" bandwidth, or 
display my resources beside unsavoury ones.

Best,

Nathan
Received on Tuesday, 1 March 2011 20:34:58 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:43 GMT