[whatwg] Re: Cross Domain Policies

On Mon, 26 Jul 2004 17:07:33 -0500, Doron Rosenberg <doronr at gmail.com> wrote:
> Cross domain scripting is easily doable in all browsers today, and it
> won't change.  Any domain can include javascript files from any other
> domain.  That allows 2 way communications.  Done.

Indeed, but that's a completely different threat scenario to access
non javascript files across domains.   I think you're being very
misleadin about why cross domain access to URLS are blocked.

> This doesn't make web services less secure - most programing toolkits
> allow cross domain web services without any restrictions.

Most programming toolkits aren't run in a browser!  This _DOES_ make
Mozilla SOAP in secure, I have SOAP services running on this intranet
which are protected purely by the fact they're behind the firewall,
any machine here can access them, those outside cannot - However,
www.anydomain.org can use them easily, if someone happens to drop an
XML file in the root.

> If they want to restrict, they can use username/passwords to do that,
> as does Google.

This is orthogonal to the ability of a webbrowser to make the request.

> The only reason we didn't allow cross domain web services access are
> intranets - since mozilla does the actually SOAP connection, user A in
> a workplace with internet and intranet access could get to evil.com,
> which talks to an intranet web service.

Ah, so you do understand the problem, unfortunately though, you don't
actually realise that not all "intranets" are quite so simple as you
describe for Mozilla to know.

This is not secure, and I ask you again, How do I disable this ability
in Mozilla, it is laxxer security, please do not pretend otherwise
with your "cross frame scripting is always possible" and can you
please tell me how to disable this 'feature' in Mozilla.

For the other browser vendors in WHATWG - Do not implement this.

Jim.

Received on Tuesday, 27 July 2004 01:18:14 UTC