W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] security issue with XMLHttpRequest API compatibility

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 7 Apr 2009 18:52:33 -0700
Message-ID: <63df84f0904071852o56d02cc2r8b839f37756cfa8d@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps@w3.org
On Tue, Apr 7, 2009 at 5:55 PM, Tyler Close <tyler.close@gmail.com> wrote:
>> You are proposing a model where there's two types of XHR objects. One
>> where we specifically tell users that you can rely on the request
>> won't be sent cross site, and one where you can't.
> I'm proposing that we leave the existing security model in place and
> provide a switch that applications must flip in order to swap in the
> new security model. I've proposed a design where flipping this switch
> requires minimal changes to existing application code. There's nothing
> radical about this proposal, it's just the way things are done when
> you're being careful.

I maintain that we are talking about very small differences. I'm still
not convinced that the problem you are trying to solve is a problem
large enough to need solving. But I also don't think that the solution
that you are proposing is a huge burden on authors on UA implementors.

In other words, I think both the benefit and the cost of your solution
is small but non-zero.

However, the cost does seem to me that it's bigger than the benefit.
The biggest cost being a cluttering of the web platform API. This is
the same reason that I've been arguing against the XDomainRequest API
that microsoft is introducing in IE. It largely works the same as
XMLHttpRequest, but it is a different API from it.

/ Jonas
Received on Wednesday, 8 April 2009 01:53:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:53 UTC