Enabling Read Access for Web Resources

I’ve been looking at the proposal by W3C to do cross domain request via the XMLHttpRequest object in Javascript.

Abstract

This document defines a mechanism to selectively provide client side cross-site access to a Web resource. Using either a HTTP header or an XML processing instruction (or both) resources can indicate they allow read access from specified hosts (optionally using patterns). When a pattern is used, one can also exclude certain hosts. For instance, allow read access from example.org and its subdomains with the exception of public.example.org.

Here’s an article by Kris Zyp with his thoughts on it.

http://www.json.com/2007/11/16/w3c-enabling-read-access-for-web-resources/

It does not create any new vulnerabilities with existing servers. Cross domain XHR will always fail with existing servers until they have specifically added headers to define the access control. In other words it doesn’t add new vulnerabilities to the web, rather it allows those who want to add cross site access the ability to due it in a secure manner without hacks like JSONP or fragment identifier messaging.
Both GET and POST can currently be executed cross site with scripts tags or form submission, so many threats such as CSRF and DOS already exist, the proposal does not introduce them.
The proposal states that cookies should be removed from cross site requests. This will reduce the incident of cross site request forgery, and forces developers to use more secure explicit forms of authentication maintanence.
Developers that allow cross site access still must ensure that they are not providing privileged information to sites that should not be accessing the information. Developers that allow POST and other modifying operations should take similiar precautions.
This provides a fine-grained access control level. When servers define access control headers that allow cross site access, they can specify which web page domains are allowed to access their resources.

I welcome it, as there have been many times where I have needed to do cross domain requests.

Tags: JavaScript, W3C

Wednesday, November 21st, 2007 JavaScript, Programming

No comments yet.

What Am I Doing?

Installed W@W 1.02 patch, should now be able to play with American friends, let the desync commence 7 hours ago
Just finished playing World at War, can now connect to people. Spawning is really bad, a very high chance of being shot in the back. 2008/11/19
Still can't connect to anyone on World at War multiplayer, but people can connect to me, very annoying. 2008/11/16
Finished Call of Duty World at War single player, felt shorter than Modern Warfare. Now I can play Zombie mode. 2008/11/16
Played Call of Duty World at War, at the moment I'm not keen on it, WWII doesn't do it for me. I'll keep playing, might start to like it. 2008/11/14
Yay, I got news that Call of Duty World at War has been delivered from Game. 2008/11/13
Just finished playing Call of Duty 4, which could be the last time, as W@W should arrive tomorrow. 2008/11/13
At work 2008/11/11
Played some CoD4 before work, my team was really bad 2008/11/11
Downloading Ubuntu, Vista is horrible to develope on 2008/11/10
On my way home through the lovely rain on my bike 2008/11/10
Completed Far Cry 2 at the weekend 2008/11/10
Installed Twinkle app on touch, awesome for a free app 2008/11/10
Setting up Twitter on my Ipod Touch 2008/11/10

Search

Spam Blocked

136,445 spam comments

blocked by
Akismet

Peter J S

Web Developer