- From: Jim Ley <jim.ley@gmail.com>
- Date: Tue, 27 Jul 2004 09:18:14 +0100
On Mon, 26 Jul 2004 17:07:33 -0500, Doron Rosenberg <doronr at gmail.com> wrote: > Cross domain scripting is easily doable in all browsers today, and it > won't change. Any domain can include javascript files from any other > domain. That allows 2 way communications. Done. Indeed, but that's a completely different threat scenario to access non javascript files across domains. I think you're being very misleadin about why cross domain access to URLS are blocked. > This doesn't make web services less secure - most programing toolkits > allow cross domain web services without any restrictions. Most programming toolkits aren't run in a browser! This _DOES_ make Mozilla SOAP in secure, I have SOAP services running on this intranet which are protected purely by the fact they're behind the firewall, any machine here can access them, those outside cannot - However, www.anydomain.org can use them easily, if someone happens to drop an XML file in the root. > If they want to restrict, they can use username/passwords to do that, > as does Google. This is orthogonal to the ability of a webbrowser to make the request. > The only reason we didn't allow cross domain web services access are > intranets - since mozilla does the actually SOAP connection, user A in > a workplace with internet and intranet access could get to evil.com, > which talks to an intranet web service. Ah, so you do understand the problem, unfortunately though, you don't actually realise that not all "intranets" are quite so simple as you describe for Mozilla to know. This is not secure, and I ask you again, How do I disable this ability in Mozilla, it is laxxer security, please do not pretend otherwise with your "cross frame scripting is always possible" and can you please tell me how to disable this 'feature' in Mozilla. For the other browser vendors in WHATWG - Do not implement this. Jim.
Received on Tuesday, 27 July 2004 01:18:14 UTC