- From: Tyler Close <tyler.close@gmail.com>
- Date: Tue, 8 Dec 2009 11:56:33 -0800
- To: Ian Hickson <ian@hixie.ch>
- Cc: public-webapps@w3.org
Hi Ian, I assume you want to move on to the XHR-like example, so I've just got a few clarification questions about it... On Tue, Dec 8, 2009 at 11:18 AM, Ian Hickson <ian@hixie.ch> wrote: > http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0914/draft.html > > To recast the question in terms of XMLHttpRequest, how would one label a > static resource on an intranet server, e.g.: > > http://marketing.corp.example.com/productcodes.xml > > ...such that it can be read (using XMLHttpRequest) by scripts embedded on > pages from the following hosts: > > http://www.corp.example.com/ > http://finance.corp.example.com/ > http://eng.corp.example.com/ > http://intranet.example.com/ > > ...but such that it could _not_ be read by pages from the following hosts > (i.e. the HTTP response would not be made accessible to scripts on pages > from these hosts): > > http://hostile-blog.example.com/ > http://www.hostile.example/ Are you saying a firewall prevents the author of the attack pages from directing his own browser to any of the legitimate pages that have access to the data? So, all the resources with access to the secret data are hosted by servers behind a firewall; and all the attackers are outside the firewall? Furthermore, all the resources with access to the secret data are trusted to not send the secret data to the attacker? It also seems that any resource hosted behind the firewall also has access to the secret data, since it can just send a request server-to-server, instead of server-to-browser-to-server. True? --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Tuesday, 8 December 2009 19:57:13 UTC