- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 19 Jun 2008 01:35:45 -0700
- To: Ian Hickson <ian@hixie.ch>
- Cc: Web Applications Working Group WG <public-webapps@w3.org>
Ian Hickson wrote: > On Wed, 18 Jun 2008, Jonas Sicking wrote: >> Most of the feedback I got from my previous proposal was in regards to >> the nested uri scheme solution, which wasn't really a critical part of >> the proposal. So here is an alternative proposal which doesn't use the >> nested schemes but rather a separate flag. > > Seems reasonable. The attack vector it is blocking is sites that provide > user-specific POST-able scripts same-domain, and non-user-specific data > cross-domain, and that accidentally make the former available under the > Access-Control mechanism when exposing the latter, right? Exactly. And it's useful for pages that contain private information only when cookies are sent, but when no cookies are sent they only provide public information. I've given two examples of this in other threads: 1. A news site serving articles in different categories. When the user is logged in and has configured a home zipcode includes a category of local news. Example: news.yahoo.com 2. A discussion board that allows comments to be marked private. Only when a user is logged in and has access to private comments are the private comments included, otherwise only the public comments are shown. Example: buzilla.mozilla.com > This has one side-effect, which is that it doesn't work well with XBL or > VBWG in environments where the XBL file (or VXML file) is customised to > the user but accessed cross-site. Is that ok? It doesn't "work well" in the sense that they don't work out-of-the-box. It would be trivial to add a load-private-data pseudo attribute to the <?xbl?> PI that sets the "with credentials" flag to true. However I can't think of a situation where someone wants to load private XBL bindings so I'm totally ok with it being a bit more hassle. It might be a bigger deal for VXML, I don't know since I've not looked at that spec. / Jonas
Received on Thursday, 19 June 2008 08:37:09 UTC