W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2010

[whatwg] Lifting cross-origin XMLHttpRequest restrictions?

From: Ashley Sheridan <ash@ashleysheridan.co.uk>
Date: Fri, 12 Mar 2010 10:08:42 +0000
Message-ID: <1268388522.2892.10.camel@localhost>
On Thu, 2010-03-11 at 23:50 -0800, Michal Zalewski wrote:

> > Servers are already free to obtain and mix in content from other sites, so
> > why can't client-side HTML JavaScript be similarly empowered?
> 
> I can see two reasons:
> 
> 1) Users may not be happy about the ability for web applications to
> implement an unprecedented level of automation through their client
> (and using their IP) - for example, crawling the Intranet, opening new
> accounts on social sites and webmail systems, sending out spam.
> 
> While there is always some ability for JS to blindly interact with
> third-party content, meaningful automation typically requires the
> ability to see responses, read back XSRF tokens, etc; and while
> servers may be used as SOP proxies, the origin of these requests is
> that specific server, rather than an assortment of non-consenting
> clients.
> 
> The solution you propose - opt-out - kinda disregards status quo, and
> requires millions of websites to immediately deploy workarounds, or
> face additional exposure to attacks. For opt-in, you may want to look
> at UMP: http://www.w3.org/TR/2010/WD-UMP-20100126/ (or CORS, if you do
> not specifically want anonymous requests).
> 
> 2) It was probably fairly difficult to "sandbox" requests fully so
> that they are not only stripped of cookies and cached HTTP
> authentication, but also completely bypass caching mechanisms
> (although UMP aims to achieve this).
> 
> /mz


Potentially you're entering a whole world of problems. Not only would
all the browsers have to sandbox, but every single plugin that a browser
uses. Think of the way Flash has it's own method of storing potentially
sensitive cookie-like data on the clients machine, which the browser has
no control of. You're looking at a massive task just there.

Thanks,
Ash
http://www.ashleysheridan.co.uk


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100312/35752fd4/attachment.htm>
Received on Friday, 12 March 2010 02:08:42 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:21 UTC