- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 22 Feb 2008 10:56:47 -0800
- To: Brad Porter <bwporter@yahoo.com>
- CC: Jonas Sicking <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>, Window Snyder <window@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, Jesse Ruderman <jruderman@gmail.com>
Brad Porter wrote: > Historically the user-agents have not been in the > position of stating or attempting to enforce privacy policy. Historically browser have absolutely forbidden cross-site XHR; the same-origin policy _is_ a privacy policy and browser enforce it. If this new feature causes users harm because of a careless site the message the world gets will first be "Don't use Firefox on MySpace/Yahoo/whoever until the site is fixed" which quickly morphs to "BrowserX is safer than Firefox" because those users will not want to stop getting their data. I know that if we don't send cookies with XSXHR Firefox users aren't at much more risk from this new Mozilla-only browser feature. It may not be all that useful without cookies, but _I_ have not put users at risk. Given the repeated inability of sites to get the XSS issue right I don't have a lot of confidence they'll implement XSXHR correctly even if it requires opt-in by the site (the use-history of flash's crossdomain.xml is not exactly comforting). Convince me that the benefit of sending browser authentication outweighs the risk of the additional attack surface. Especially given that any substantial use will have to come up with a completely different mechanism for other browsers anyway -- only niche sites can afford to rely on a Firefox-only (for now) feature. -Dan Veditz
Received on Sunday, 24 February 2008 19:29:24 UTC