- From: Jim Ley <jim.ley@gmail.com>
- Date: Wed, 9 Mar 2005 08:57:12 +0000
On Tue, 8 Mar 2005 19:09:43 -0800, Chris Holland <frenchy at gmail.com> wrote: > Well, the value of the Referrer header i'm talking about in this case, > would always be the URI of the document originating the > ContextAgnosticXmlHttpRequest, NOT the *document*'s referrer. Based on > this requirement, i should be able to rely on this header to protect > my service. How do you know it's not just some random client with a refererrer that happens to meet your idea of accurate. Even if implementors of your version of the object were religiously accurate in following this rule, no other HTTP implementation need do it. > How about requiring from a service that it sets an extra HTTP header > to offer its content to "foreign" hosts: > > X-Allow-Foreign-Host: All | None | .someforeigndomain.com | > .somehost.someforeigndomain.com This is a much better proposal than the stealing of URI's in my domain to mean some special thing. We're already plagued by the Favicon bugs in FireFox hammering our servers with requests for documents we never defined > all this, i believe, tends to bleed into your own idea of establishing > some sort of trust relationship. To that end, I need to spend more > time grokking 11.4 from your document. I think I'm getting there. 11.4 isn't particularly relevant surely? That's about Cross-document, so both documents would need to exist on the client before any communication could occur. > I was basically trying to > further limit the types of documents you could ever retrieve, to > purely valid XML documents, so no random text or Tag Soup HTML > document could be arbitrarily leeched. Please don't have any solution that limits the user to XML, it's a pointless arbritrary restriction that offers nothing but serious performance hits to the client, and complications to the user. Jim
Received on Wednesday, 9 March 2005 00:57:12 UTC