RE: XDomainRequest Integration with AC

Jonas said:
'url' is parsed as an absolute URL using the internal parser used for
normal URL parsing, but if the resulting URL contains anything other
than scheme, domain and port then access should be denied. I.e. if the
url contains a path, a query string a fragment or similar, the header is
considered invalid and MUST be ignored.

This sounds fine as it reduces surface area of attack.

-----Original Message-----
From: Jonas Sicking [mailto:jonas@sicking.cc]
Sent: Friday, July 18, 2008 6:58 PM
To: Maciej Stachowiak
Cc: Sunava Dutta; annevk@opera.com; Sharath Udupa; Zhenbin Xu; Gideon Cohn; public-webapps@w3.org; IE8 Core AJAX SWAT Team
Subject: Re: XDomainRequest Integration with AC

Maciej Stachowiak wrote:
>
> On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote:
>
>> I'm in time pressure to lock down the header names for Beta 2 to
>> integrate XDR with AC. It seems no body has objected to Jonas's
>> proposal. http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0175.html
>> Please let me know if this discussion is closed so we can make the change.
>
> I think Anne's email represents the most recent agreement and I don't
> think anyone has
> objected: http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html
>
> The change would be:
>
> Instead of checking for "XDomainRequestAllowed: 1" check for
> "Access-Control-Allow-Origin: *" or "Access-Control-Allow-Origin: url"
> where url matches what was sent in the Origin header.

'url' is parsed as an absolute URL using the internal parser used for
normal URL parsing, but if the resulting URL contains anything other
than scheme, domain and port then access should be denied. I.e. if the
url contains a path, a query string a fragment or similar, the header is
considered invalid and MUST be ignored.

/ Jonas

Received on Saturday, 19 July 2008 02:05:26 UTC