- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 15 Jun 2011 12:18:34 -0400
- To: David Bruant <david.bruant@labri.fr>
- CC: public-webapps@w3.org
On 6/15/11 6:43 AM, David Bruant wrote: > Could someone explain how running in a web browser justify such a > difference? For instance, could someone explain a threat particular to > cross-origin XHR in web browser? Off the top of my head: 1) XHR in the web browser sends the user's cookies, HTTP auth credentials, etc. with the request. Which means that if you're logged in to some site A, and cross-site XHR to that site is allowed from some other other site B, then B can access all the information you can access due to being logged in to site A. 2) XHR in the web browser gives (at the moment, at least) sites that are outside a firewall that your browser is behind the ability to make requests to hosts that are behind the firewall. Item 2 is somewhat of an issue for installed apps as well, of course, but installing an app is a trust decision. I would imagine browsers could relax some of these restrictions if a similar trust decision is explicitly made for a non-locally-hosted app. Item 1 is pretty specific to a web browser; the only way to avoid that issue is to run the app's XHRs in a special mode (effectively treating it as not running in the browser at all). -Boris
Received on Wednesday, 15 June 2011 16:19:15 UTC