Re: XMLHTTPRequest restrictions by origin from Melvin Carvalho on 2014-09-26 (www-tag@w3.org from September 2014)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 26 Sep 2014 14:18:10 +0200
To: Tim Berners-Lee <timbl@w3.org>
Cc: Public TAG List <www-tag@w3.org>
Message-ID: <CAKaEYhLhfR1Gsx7TGCP+iSJpVA0qG06CGjjpwZRuLntnVxFmKQ@mail.gmail.com>

On 26 September 2014 14:11, Tim Berners-Lee <timbl@w3.org> wrote:

> XMLHTTPRequest restrictions by origin are driving me crazy.
>
> Every week it seems some code which used to work perfectly fine has been
> blocked by ever-increasing security restrictions on what XMLHTTPRequest can
> do.
>
>
> For example, a test file which used to work fine in
> /devel/
> github.com/linkeddata/tabulator-firefox/content/js/rdf/test/index.html
> now gives an error: (e.g. Chrome:)
> XMLHttpRequest cannot load file:///devel/
> github.com/linkeddata/tabulator-firefox/content/js/rdf/test/tc0006/test_UUU.js?_=1411730688738.
> Received an invalid response. Origin 'null' is therefore not allowed access.
>
>
> I test things in file: space where i can edit them and reload fast.
> I normally assume that a program I running file: space is going to run and
> access to whatever I have access to -- it is a trusted program in the unix
> model.   (Yes, in an ideal world would I trap things which are untrusted in
> a Downloads directory for example and given them less access? Yes, but
> until we have a system like that, can we allow  scripts in files to access
> files?
>
> Other recent battles have been about Firefox getting confused as to when
> credentials should be sent, and as a result blocking in insecure access or
> now sending credentials on a secure one.
>
> Ooops - here is another.
> XMLHttpRequest cannot load
> http://www.w3.org/2000/10/rdf-tests/rdfcore/amp-in-url/test001.nt. No
> 'Access-Control-Allow-Origin' header is present on the requested resource.
> Origin 'https://linkeddata.github.io' is therefore not allowed access.
>  The 14-year-old test data now has to have its .htaccess files tweaked.
>
> Maybe, instead of asking every publisher of public content to change their
> config files, we either ask users to say they are not receiving the benefit
> of any "behind the firewall" or IP-authenticated material, or for that
> matter suggest those who do use those methods must change *their* servers
> to add a header saying that.
>
> This is probably the wrong list to send this to, and this must have been
> wargamed by the community before now -- maybe someone could provide me a
> pointer to the report.
>

+1

I understand CORS is there for our own security, but also encountered many
issues of this kind.  Any way the pain could be reduced would be greatly
appreciated.


>
> Tim
>

Received on Friday, 26 September 2014 12:18:38 UTC