- From: Darin Fisher <darin@meer.net>
- Date: Mon, 13 Mar 2006 11:12:46 -0800
Gervase Markham wrote: > Darin Fisher wrote: > >> Backing up a second, I think what we need is a way to grant websites the >> ability to control who may access their resources. It'd be ideal if the >> browser had a way to ask the server for the list of hosts (or domains) >> that are permitted to access it. I don't think this is a new idea as >> several specifications have been attempted along these lines. Mozilla >> even implements one of them for its SOAP and WSDL implementation. >> > > My idea for that (bit of a one-track mind, me) was a Use-Domain: HTTP > header. The JSON data would be served with "Use-Domain: > www.mydomain.com", and the browser would refuse to give any page not > from that domain access to the data. > > You could also use it to prevent image bandwidth stealing. > > Gerv > Keep in mind that there is also the problem that the POST request may have undesirable side-effects. The web app probably needs a request header from the browser to tell it what domain is sending it data. The Referer header is not sufficient since the browser will not send a HTTPS referrer-URI over plaintext. We need to restrict READs as well as WRITEs when it comes to XSS ;-) -Darin
Received on Monday, 13 March 2006 11:12:46 UTC