Re: [cors] security issue with XMLHttpRequest API compatibility

On Tue, Apr 7, 2009 at 4:16 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Tue, Apr 7, 2009 at 3:57 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>> My point is that having two APIs that are identical and intended to be
>> used for basically the same thing, except for that they use different
>> security models, is a security bug waiting to happen.
>
> So you do of course realize that this is exactly what the WG is
> currently proposing, right? Browser version X will have an XHR with
> one security model and browser version X+1 will have an identical XHR
> API with a different security model.

But it's for a limited time. In a few years hopefully all browsers
supports cross site XHR. And if you can already today follow the
advice that you should not rely on XHR not honoring your request just
because it's a cross site URI.

You are proposing a model where there's two types of XHR objects. One
where we specifically tell users that you can rely on the request
won't be sent cross site, and one where you can't.

/ Jonas

Received on Wednesday, 8 April 2009 00:30:04 UTC