- From: Sunava Dutta <sunavad@windows.microsoft.com>
- Date: Fri, 18 Jul 2008 19:04:41 -0700
- To: Jonas Sicking <jonas@sicking.cc>, Maciej Stachowiak <mjs@apple.com>
- CC: "annevk@opera.com" <annevk@opera.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Jonas said: 'url' is parsed as an absolute URL using the internal parser used for normal URL parsing, but if the resulting URL contains anything other than scheme, domain and port then access should be denied. I.e. if the url contains a path, a query string a fragment or similar, the header is considered invalid and MUST be ignored. This sounds fine as it reduces surface area of attack. -----Original Message----- From: Jonas Sicking [mailto:jonas@sicking.cc] Sent: Friday, July 18, 2008 6:58 PM To: Maciej Stachowiak Cc: Sunava Dutta; annevk@opera.com; Sharath Udupa; Zhenbin Xu; Gideon Cohn; public-webapps@w3.org; IE8 Core AJAX SWAT Team Subject: Re: XDomainRequest Integration with AC Maciej Stachowiak wrote: > > On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote: > >> I'm in time pressure to lock down the header names for Beta 2 to >> integrate XDR with AC. It seems no body has objected to Jonas's >> proposal. http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0175.html >> Please let me know if this discussion is closed so we can make the change. > > I think Anne's email represents the most recent agreement and I don't > think anyone has > objected: http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html > > The change would be: > > Instead of checking for "XDomainRequestAllowed: 1" check for > "Access-Control-Allow-Origin: *" or "Access-Control-Allow-Origin: url" > where url matches what was sent in the Origin header. 'url' is parsed as an absolute URL using the internal parser used for normal URL parsing, but if the resulting URL contains anything other than scheme, domain and port then access should be denied. I.e. if the url contains a path, a query string a fragment or similar, the header is considered invalid and MUST be ignored. / Jonas
Received on Saturday, 19 July 2008 02:05:26 UTC