W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2005

[whatwg] ContextAgnosticXmlHttpRequest: an informal RFC

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 9 Mar 2005 00:30:19 +0000 (UTC)
Message-ID: <Pine.LNX.4.61.0503090019560.5940@dhalsim.dreamhost.com>
On Tue, 8 Mar 2005, Chris Holland wrote:
> 
> http://chrisholland.blogspot.com/2005/03/contextagnosticxmlhttprequest-informal.html
> 
> I'm basically looking to enable some sort of cross-host *and* 
> cross-domain interoperability between documents via a modified clone of 
> the XmlHttpRequest object, while attempting to tread very carefully on 
> various security issues, such as Cookies and Basic-Auth credentials. A 
> "ContextAgnosticXmlHttpRequest" would be a new object developers could 
> use, beyond the traditional XmlHttpRequest.

One security problem with the above suggestion is that if you have a 
scenario where host H is accessed by a user U which is behind a corporate 
firewall, and behind that firewall are otherwise unprotected servers 
hosting sensitive information, you just gave hostile host H access to all 
that sensitive data.

The only real solution I can see is to have the remote server somehow opt 
in to being able to serve pages from any other site. I've been brain- 
storming possible ways to allow this kind of thing in:

   http://whatwg.org/specs/web-apps/current-work/#network

...but nothing currently there should be considered even remotely finished 
yet (or even representative of what I'm currently thinking, it's really 
just a scratchpad).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 8 March 2005 16:30:19 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:39 UTC