- From: Sunava Dutta <sunavad@windows.microsoft.com>
- Date: Mon, 5 May 2008 19:08:27 -0700
- To: Ben Adida <ben@adida.net>
- CC: Arthur Barstow <art.barstow@nokia.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Chris Wilson <Chris.Wilson@microsoft.com>, ext Anne van Kesteren <annevk@opera.com>, "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>
XDomainRequest is optimized for the "public data" use case; it sends anonymous requests that do not carry cookies or credentials. Obviously, it is possible to create XDomainRequest-based AJAX applications whereby identity or authorization tokens are carried in a request body payload (in JSON/XML/other format) but any server configured to accept such tokens must take steps to mitigate any CSRF vulnerabilities, and should also ensure that proper HTTP caching directives are present on any non-public response. -----Original Message----- From: Ben Adida [mailto:ben@adida.net] Sent: Friday, May 02, 2008 3:29 PM To: Sunava Dutta Cc: Arthur Barstow; Eric Lawrence; Chris Wilson; ext Anne van Kesteren; Web API WG (public); public-appformats@w3.org; Zhenbin Xu; Gideon Cohn; Sharath Udupa; Marc Silbey Subject: Re: Seeking XDR versus AC4CSR+XHR2 follow-ups by Microsoft [Was: Re: IE Team's Proposal for Cross Site Requests] Sunava Dutta wrote: > Art, I apologize for the delay but we're currently coming up with a > plan moving forward to regarding how we want to proceed with cross > domain. Sunava, I've been lurking on this list for a while, and wanted to ask a question that I don't think has been answered on the list. The IE8 White Paper on "Better Ajax Development" says: "Cross-domain requests are anonymous to protect user data, which means that servers cannot easily find out who is requesting data. As a result, you only want to request and respond with cross-domain data that is not sensitive or personally identifiable." Is that an accurate representation of MS's position, that XDR should never be used to request sensitive/private information, only generic public data? Thanks, -Ben Adida ben@adida.net
Received on Tuesday, 6 May 2008 02:09:19 UTC