Re: CfC: Candidate Recommendation of XMLHttpRequest; deadline June 30

On Tue, 22 Jun 2010 14:06:23 +0200, Thomas Roessler <tlr@w3.org> wrote:
> no news that I'd be aware of.
>
> Anne, can you take a first stab at the security considerations?  As I  
> said earlier, I'm available to review things, but don't have the  
> bandwidth to do significant writing this week.

I read through the original thread again (several times, I might add) and  
I'm still not sure what needs to be written down.

http://lists.w3.org/Archives/Public/public-webapps/2010JanMar/thread.html#msg202

CONNECT, TRACK, and TRACE already have references with detailed  
explanations.

DNS rebinding is a generic problem.

setRequestHeader no longer mentions security reasons.

HTTP redirects simply follow the same policy as normal requests.

Origin is also a generic problem. I suspect we'll switch references from  
HTML5 to the origin specification in due course.

The SHOULD/MUST confusion has been addressed too.


The original thread concluded with looking for volunteers for certain  
aspects and the question as to whether a generic document was needed. I  
have attempted to clarify matters somewhat in the specification for  
setRequestHeader. Other than that I believe said volunteers have not been  
found. A document has not been written either. It has now been almost six  
months. We can continue looking I suppose, and we probably should, but at  
some point we have to cut our losses and move on.


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Tuesday, 29 June 2010 15:02:18 UTC