W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2006

[whatwg] JSONRequest

From: Gervase Markham <gerv@mozilla.org>
Date: Mon, 13 Mar 2006 22:23:10 +0000
Message-ID: <4415F0CE.2080305@mozilla.org>
Darin Fisher wrote:
> Keep in mind that there is also the problem that the POST request may
> have undesirable side-effects.  The web app probably needs a request
> header from the browser to tell it what domain is sending it data.  The
> Referer header is not sufficient since the browser will not send a HTTPS
> referrer-URI over plaintext.

And Referer, of course, is optional. And having something which is
compulsory might raise privacy issues.

> We need to restrict READs as well as WRITEs when it comes to XSS ;-)

Good point; I'd forgotten that.

Gerv
Received on Monday, 13 March 2006 14:23:10 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:45 UTC