W3C home > Mailing lists > Public > www-tag@w3.org > May 2010

Re: Impending web-arch issue?

From: Mark S. Miller <erights@google.com>
Date: Tue, 11 May 2010 07:08:40 -0700
Message-ID: <AANLkTim7Iiu_8lCH2uR6z0cnOLOFRLXQuROy2ggLv_6w@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: nathan@webr3.org, "www-tag@w3.org" <www-tag@w3.org>
On Tue, May 11, 2010 at 6:57 AM, Anne van Kesteren <annevk@opera.com> wrote:

> On Tue, 11 May 2010 15:47:41 +0200, Mark S. Miller <erights@google.com>
> wrote:
>
>> Given an apache compatible web server, you could add
>>
>>    <FilesMatch "\.js$">
>>      Header set Access-Control-Allow-Origin "*"
>>    </FilesMatch>
>>
>> in a root .htaccess file. Adding this header is a good idea for all
>> resources that parse as JavaScript anyway, as should be the case for all
>> *.js files and for all JSONP services, since these resources are already
>> not
>> protected by the Same Origin Policy. For these resources, adding this
>> header *cannot* result in any loss of security.
>>
>
> Actually, that is incorrect. Being able to read the contents of a
> JavaScript is quite different from being able to execute a JavaScript file.
> E.g. there could be confidential comments in the file or some such.
>

Ah! I have heard this debated back and forth, but never heard the issue of
confidential comments raised. You are correct. Adding this .htaccess file
would compromise the confidentiality of those comments. Good catch!



>
> (I'm not saying that any of this is a good idea, just that it is not at all
> the same.)
>
>
>
> --
> Anne van Kesteren
> http://annevankesteren.nl/
>



-- 
    Cheers,
    --MarkM
Received on Tuesday, 11 May 2010 14:09:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:20 GMT