- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 15 May 2008 08:42:42 -0700
- To: Jon Ferraiolo <jferrai@us.ibm.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>, public-appformats-request@w3.org
Jon Ferraiolo wrote: > <jonas> > I don't understand at all what you are proposing. If we allow the client > to always POST cross domain the damage is already done and we have lost > already....JSONRequest always allows cross-site POSTs, I.e. it always > allows the > thing we are trying to prevent. > </jonas> > > JSONRequest requires that a server make explicit changes in order to > opt-in to enabling cross-site requests (GET or POST). From the > JSONRequest spec (http://www.json.org/JSONRequest.html): > > 3. Reponses will be rejected unless they contain a JSONRequest content > type. This makes it impossible to use JSONRequest to obtain data from > insecure legacy servers. Yes, JSONRequest makes the assumption that POSTing data cross site is safe as long as the posted data is of type application/jsonrequest. This is an assumption that I personally as well as mozilla feel very uncomfortable with. This become even more of a problem if you want to scale up the JSONRequest spec to support other data types than JSON objects (something which is in the AC requirements). That said, if you really think that it is possible to create a security model based on JSONRequest which supports the requirements listed in the AC spec, I look forward to such a proposal. > <jonas> > We can't make existing already deployed servers to start > dealing with this new spec. > </jonas> > > I'm not sure what you are asking. Are you saying that we can't require > existing servers to make changes in order to support cross-site > requests? But AC also requires servers to make changes in order to > support at least some of its features. I simply meant that we can't create a spec which makes currently deployed servers suddenly vulnerable. I.e. we have to use an opt-in mechanism rather than an opt-out one. / Jonas
Received on Thursday, 15 May 2008 15:44:05 UTC