- From: Tyler Close <tyler.close@gmail.com>
- Date: Wed, 9 Dec 2009 09:53:44 -0800
- To: Ian Hickson <ian@hixie.ch>
- Cc: public-webapps@w3.org
On Wed, Dec 9, 2009 at 7:43 AM, Ian Hickson <ian@hixie.ch> wrote: > Ok, let's move on to a more complex case. > > Consider a static resource that is protected by a cookie authentication > mechanism. For example, a per-user static feed updated daily on some > server by some automated process. The server is accessible on the public > Web. The administrator of this service has agreements with numerous > trusted sites, let's say a dozen sites, which are allowed to fetch this > file using XHR (assuming the user is already logged in). The sites that > fetch this file do not require authentication (e.g. one could be my portal > page, which is just a static HTML page, without any server-side script). > Other sites must not be allowed access to the file. > > How does one configure the server to handle this case? Again going with the simplest thing that could possibly work: Each of the per-user static feeds is referenced by a unique unguessable URL of the same format used in the previous example. For example, https://example.com/user123/?s=42tjiyrvnbpoal https://example.com/user456/?s=sdfher34nvl34 ... Again, a GET response from such a URL carries the same-origin opt-out header. The user gives this URL only to those services he wants to access the feed. For example, you could copy this URL into your personal static HTML page that acts as your portal. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Wednesday, 9 December 2009 17:54:24 UTC