- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Sun, 11 Jun 2006 15:29:53 +0200
- To: Jamie Lokier <jamie@shareable.org>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
* Jamie Lokier wrote: >Are you sure it's possible to introduce new methods that have similar >problems to TRACE and CONNECT? Of course it is. There may be problems, but it certainly is possible. >Relax XMLHttpRequest's constraints slightly to allow GET (only) >requests to any domain, with the constraint that in this case it's not >permitted to set arbitrary request headers or read most of the >response headers. (Reading "Content-Type" should be allowed). Well, A is your client with a fixed IP, B grants access to A but no one else, C wants data from B. To achieve that, you simply have to be tricked into visiting a page on C, which is rather trivial. The only way to prevent that is to deny (indirect) read access from C to A. http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012 and http://www.w3.org/TR/access-control/ might be interesting to you. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Sunday, 11 June 2006 13:30:00 UTC