W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

[XHR][XHR2] Same-origin policy protection

From: David Bruant <david.bruant@labri.fr>
Date: Wed, 15 Jun 2011 12:43:33 +0200
Message-ID: <4DF88CD5.7000103@labri.fr>
To: public-webapps@w3.org

I've been thinking a lot about same-origin policy recently. I understand 
the protection it provides when it comes to cross-frame communication, 
but I'm having a hard time understanding what it protects from when it 
comes to cross-origin XHR.
Over the years, web sites have moved to web apps and to just apps. These 
apps are client applications able to download content from different 
origin and mashup content. Interestingly, the notion of origin does not 
apply to these apps. Basically, being installed as independent pieces of 
software, rather than from loaded from a particular source in a web 
browser, they are origin-free. This already applied to other client 
applications such as crawlers.
To summurize, the same application (if written in JS for instance) could 
perform cross-domain XHR if installed as stand-alone, but cannot if 
running within a web browser (which granted it an origin and applied 
same-origin restrictions).

Could someone explain how running in a web browser justify such a 
difference? For instance, could someone explain a threat particular to 
cross-origin XHR in web browser?


Received on Wednesday, 15 June 2011 10:44:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:20 UTC