[whatwg] Proposal for cross domain security framework from Adrian Sutton on 2008-06-20 (public-whatwg-archive@w3.org from June 2008)

From: Adrian Sutton <adrian.sutton@ephox.com>
Date: Fri, 20 Jun 2008 15:31:20 +0100
Message-ID: <C4817DC8.5826%adrian.sutton@ephox.com>

(Frode, this is one of those lists where you have to hit reply all instead
of just reply to send your response to the list. I'm assuming you meant for
that, apologies if you'd meant it to be a private reply.)

On 20/06/2008 15:01, "Frode B?rli" <frode at seria.no> wrote:

>> Actually, DNS servers, particularly for reverse DNS lookups, are out of the
>> control of a huge number of authors on the web. Shared hosting accounts for
>> instance don't have a unique reverse IP look up. There are also plenty of
> 
> The reverse DNS spec specifically allows one IP address to have
> multiple reverse domains.

So how do you know which one to use?

>> people who don't control their DNS at all for whatever reason.
> 
> 1. People that do not have control over the reverse lookup seldom have
> control over multiple servers and seldom require to distribute load
> like this.

I have a few shared hosting sites that I manage and a few servers with
dedicated IPs but I still don't control the reverse DNS on any of them. Even
if I only had one server, I might still want to provide an API that other
people could use in their JavaScript - eg: to include headlines/content from
my RSS feed.

> 3. Hosting providers will add tools allowing their customers to
> configure this security framework, if it is required - but again; if
> you are on a shared server you most likely will not need to connect to
> multiple servers. It will also usually suffice to have a proxy on the
> server (like many people do for XMLHttpRequests now).

My experience is that hosting providers can be extremely slow to add tools
though it has improved lately.

My second thought is to wonder why DDOS is a concern for JavaScript cross
site scripting compared to simply writing out (either directly from the ad
server or from JS): <img src="http://otherhost/whatever.jpg"> an awful lot
and generating the same load on the server.

Regards,

Adrian Sutton.
______________________
Adrian Sutton, CTO
UK: +44 1 753 27 2229  US: +1 (650) 292 9659 x717
Ephox <http://www.ephox.com/>
Ephox Blogs <http://planet.ephox.com/>, Personal Blog
<http://www.symphonious.net/>

Received on Friday, 20 June 2008 07:31:20 UTC