- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 9 Mar 2005 00:30:19 +0000 (UTC)
On Tue, 8 Mar 2005, Chris Holland wrote: > > http://chrisholland.blogspot.com/2005/03/contextagnosticxmlhttprequest-informal.html > > I'm basically looking to enable some sort of cross-host *and* > cross-domain interoperability between documents via a modified clone of > the XmlHttpRequest object, while attempting to tread very carefully on > various security issues, such as Cookies and Basic-Auth credentials. A > "ContextAgnosticXmlHttpRequest" would be a new object developers could > use, beyond the traditional XmlHttpRequest. One security problem with the above suggestion is that if you have a scenario where host H is accessed by a user U which is behind a corporate firewall, and behind that firewall are otherwise unprotected servers hosting sensitive information, you just gave hostile host H access to all that sensitive data. The only real solution I can see is to have the remote server somehow opt in to being able to serve pages from any other site. I've been brain- storming possible ways to allow this kind of thing in: http://whatwg.org/specs/web-apps/current-work/#network ...but nothing currently there should be considered even remotely finished yet (or even representative of what I'm currently thinking, it's really just a scratchpad). -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 8 March 2005 16:30:19 UTC