- From: Ian Davis <ian.davis@talis.com>
- Date: Tue, 18 Apr 2006 11:36:34 +0100
- To: Ian Hickson <ian@hixie.ch>
- CC: public-webapi@w3.org
On 18/04/2006 00:12, Ian Hickson wrote: > Access check: If there are response headers with the name > "Content-Access-Control", then they must have their values parsed > as the data part of an <?access-control?> PI. My concern with this security model is that it doesn't prevent malicious scripts injected into a site from calling back to a host. For example I can set up a server to allow requests from all then contrive to inject a script via a broken forum that sends account details back to my server. The current cross-domain scripting rules prevent this. I propose a simpler solution that allows hosts to declare their membership of cross-site scripting domains so that any host serving up scripts can restrict the scope of that script's actions. When serving the script the originating host should issue a Scripting-Domain response header consisting of a comma-delimited list of tokens. Before issuing any request to a third-party host the send() method must first issue a HEAD request to the given URI. If the third-party host includes a Scripting-Domain response header and any of the tokens in this header match any of the tokens in the originating host's Scripting-Domain header then the send() method should proceed with the request, otherwise it must act as if there had been a network-level failure. The XHR object must not send the originating host's tokens to any other host. The tokens can be generated based on any suitable algorithm, it's up to the originating host to coordinate with third-party hosts for token meaning. Ian
Received on Tuesday, 18 April 2006 10:36:43 UTC