Re: [cors] security issue with XMLHttpRequest API compatibility

On Thu, Oct 8, 2009 at 7:55 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Tue, 14 Apr 2009 14:34:11 +0200, Arthur Barstow <art.barstow@nokia.com>
> wrote:
>>
>> On Apr 14, 2009, at 6:33 AM, ext Thomas Roessler wrote:
>>>
>>> So, to pick up on this discussion again -- I don't think we've had a
>>> useful conclusion whether or not the client-side JavaScript code ought
>>> to explicitly enable cross-site requests (as Tyler suggests, and as IE
>>> implements in XDR) or not.
>>>
>>> All things considered, any thoughts?
>>
>> I tend to think that when adding new semantics, it generally makes sense
>> to add new syntax to support those semantics and in this case that it would
>> be better to err on the side of caution even if the mechanism chosen isn't
>> particularly friendly to the app developer.
>>
>> Yes, it would be good to get others thoughts on this, particularly those
>> that have implemented CORS.
>
> If you still feel this way I suggest you put it on the agenda for TPAC so we
> can briefly discuss it there.

This is my first TPAC. How does one put something on the agenda?


> Otherwise I suggest we consider this resolved
> considering that implementations are shipping.

I don't understand this argument seeing as how implementations of XDR
are already shipping too.


> I personally think keeping the API the way it is now is nicer and the
> security issue seems highly theoretical.

As with much of the rest of CORS, newly created vulnerabilities seem
theoretical until they are deployed an attacked. By the time they do
not seem theoretical, it is too late to do better than patch around
problems that should not have been introduced. We've been over this
before.


> --
> Anne van Kesteren
> http://annevankesteren.nl/
>
>



-- 
    Cheers,
    --MarkM

Received on Thursday, 8 October 2009 16:00:29 UTC