[whatwg] JSONRequest from Gervase Markham on 2006-03-13 (public-whatwg-archive@w3.org from March 2006)

From: Gervase Markham <gerv@mozilla.org>
Date: Mon, 13 Mar 2006 22:23:10 +0000
Message-ID: <4415F0CE.2080305@mozilla.org>

Darin Fisher wrote:
> Keep in mind that there is also the problem that the POST request may
> have undesirable side-effects.  The web app probably needs a request
> header from the browser to tell it what domain is sending it data.  The
> Referer header is not sufficient since the browser will not send a HTTPS
> referrer-URI over plaintext.

And Referer, of course, is optional. And having something which is
compulsory might raise privacy issues.

> We need to restrict READs as well as WRITEs when it comes to XSS ;-)

Good point; I'd forgotten that.

Gerv

Received on Monday, 13 March 2006 14:23:10 UTC