XMLHTTPRequest restrictions by origin from Tim Berners-Lee on 2014-09-26 (www-tag@w3.org from September 2014)

From: Tim Berners-Lee <timbl@w3.org>
Date: Fri, 26 Sep 2014 13:11:20 +0100
To: Public TAG List <www-tag@w3.org>
Message-Id: <AF989739-3A91-408F-B5C5-2D4E2DE85BF5@w3.org>

XMLHTTPRequest restrictions by origin are driving me crazy.

Every week it seems some code which used to work perfectly fine has been blocked by ever-increasing security restrictions on what XMLHTTPRequest can do.

For example, a test file which used to work fine in
/devel/github.com/linkeddata/tabulator-firefox/content/js/rdf/test/index.html
now gives an error: (e.g. Chrome:)
XMLHttpRequest cannot load file:///devel/github.com/linkeddata/tabulator-firefox/content/js/rdf/test/tc0006/test_UUU.js?_=1411730688738. Received an invalid response. Origin 'null' is therefore not allowed access.

I test things in file: space where i can edit them and reload fast.
I normally assume that a program I running file: space is going to run and access to whatever I have access to -- it is a trusted program in the unix model. (Yes, in an ideal world would I trap things which are untrusted in a Downloads directory for example and given them less access? Yes, but until we have a system like that, can we allow scripts in files to access files?

Other recent battles have been about Firefox getting confused as to when credentials should be sent, and as a result blocking in insecure access or now sending credentials on a secure one.

Ooops - here is another.
XMLHttpRequest cannot load http://www.w3.org/2000/10/rdf-tests/rdfcore/amp-in-url/test001.nt. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://linkeddata.github.io' is therefore not allowed access.
The 14-year-old test data now has to have its .htaccess files tweaked.

Maybe, instead of asking every publisher of public content to change their config files, we either ask users to say they are not receiving the benefit of any "behind the firewall" or IP-authenticated material, or for that matter suggest those who do use those methods must change *their* servers to add a header saying that.

This is probably the wrong list to send this to, and this must have been wargamed by the community before now -- maybe someone could provide me a pointer to the report.

Tim

Received on Friday, 26 September 2014 12:11:57 UTC