- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 18 Apr 2006 17:14:22 +0000 (UTC)
- To: Ian Davis <ian.davis@talis.com>
- Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, public-webapi@w3.org
On Tue, 18 Apr 2006, Ian Davis wrote: > On 18/04/2006 00:12, Ian Hickson wrote: > > Access check: If there are response headers with the name > > "Content-Access-Control", then they must have their values parsed > > as the data part of an <?access-control?> PI. > > My concern with this security model is that it doesn't prevent malicious > scripts injected into a site from calling back to a host. As Bjoern pointed out, it is already trivially possible to do this both for GET and POST requests, which are the only requests that I propose to allow without a pre-flight check. > I propose a simpler solution that allows hosts to declare their > membership of cross-site scripting domains so that any host serving up > scripts can restrict the scope of that script's actions. I'm not sure that's simpler, but more importantly, I would suggest that is out of scope for this specification. You may be interested in work that Gervase Markham has been doing on this topic: http://www.gerv.net/security/content-restrictions/ ...as well as discussions of a <sandbox> element in the WHATWG list, e.g.: http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2005-December/005294.html -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 18 April 2006 17:14:32 UTC