RE: Seeking XDR versus AC4CSR+XHR2 follow-ups by Microsoft [Was: Re: IE Team's Proposal for Cross Site Requests]

XDomainRequest is optimized for the "public data" use case; it sends anonymous requests that do not carry cookies or credentials.

Obviously, it is possible to create XDomainRequest-based AJAX applications whereby identity or authorization tokens are carried in a request body payload (in JSON/XML/other format) but any server configured to accept such tokens must take steps to mitigate any CSRF vulnerabilities, and should also ensure that proper HTTP caching directives are present on any non-public response.

-----Original Message-----
From: Ben Adida [mailto:ben@adida.net]
Sent: Friday, May 02, 2008 3:29 PM
To: Sunava Dutta
Cc: Arthur Barstow; Eric Lawrence; Chris Wilson; ext Anne van Kesteren; Web API WG (public); public-appformats@w3.org; Zhenbin Xu; Gideon Cohn; Sharath Udupa; Marc Silbey
Subject: Re: Seeking XDR versus AC4CSR+XHR2 follow-ups by Microsoft [Was: Re: IE Team's Proposal for Cross Site Requests]

Sunava Dutta wrote:
> Art, I apologize for the delay but we're currently coming up with a
> plan moving forward to regarding how we want to proceed with cross
> domain.

Sunava,

I've been lurking on this list for a while, and wanted to ask a question
that I don't think has been answered on the list.

The IE8 White Paper on "Better Ajax Development" says:

"Cross-domain requests are anonymous to protect user data, which means
that servers cannot easily find out who is requesting data. As a result,
you only want to request and respond with cross-domain data that is not
sensitive or personally identifiable."

Is that an accurate representation of MS's position, that XDR should
never be used to request sensitive/private information, only generic
public data?

Thanks,

-Ben Adida
ben@adida.net

Received on Tuesday, 6 May 2008 02:09:21 UTC