W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2006

[whatwg] JSONRequest

From: Darin Fisher <darin@meer.net>
Date: Mon, 13 Mar 2006 11:12:46 -0800
Message-ID: <4415C42E.5000309@meer.net>
Gervase Markham wrote:
> Darin Fisher wrote:
>   
>> Backing up a second, I think what we need is a way to grant websites the
>> ability to control who may access their resources.  It'd be ideal if the
>> browser had a way to ask the server for the list of hosts (or domains)
>> that are permitted to access it.  I don't think this is a new idea as
>> several specifications have been attempted along these lines.  Mozilla
>> even implements one of them for its SOAP and WSDL implementation.
>>     
>
> My idea for that (bit of a one-track mind, me) was a Use-Domain: HTTP
> header. The JSON data would be served with "Use-Domain:
> www.mydomain.com", and the browser would refuse to give any page not
> from that domain access to the data.
>
> You could also use it to prevent image bandwidth stealing.
>
> Gerv
>   

Keep in mind that there is also the problem that the POST request may 
have undesirable side-effects.  The web app probably needs a request 
header from the browser to tell it what domain is sending it data.  The 
Referer header is not sufficient since the browser will not send a HTTPS 
referrer-URI over plaintext.

We need to restrict READs as well as WRITEs when it comes to XSS ;-)

-Darin
Received on Monday, 13 March 2006 11:12:46 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:45 UTC