Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for December 5, 2013
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
OK, so in what way is cross-site XMLHttpRequest not a huge security hole
waiting to happen?
Mozilla plans for Firefox 3 and beyond
Posted Jul 4, 2008 18:13 UTC (Fri) by k8to (subscriber, #15413)
It's a good question. One hopes there are some sane limitations placed on it.
Posted Jul 5, 2008 0:47 UTC (Sat) by njs (guest, #40338)
It's hopefully not a huge security hole in that the "cross-site XHR" is actually the "build a
security framework that allows cross-site XHR in the cases where it is safe but not in the
ones where it isn't" feature. There's a W3C proposal and all that. So that's reassuring,
I haven't followed the design of this thing myself, and the track record of people trying to
build secure stuff on top of the incredibly complex mash that is web technologies doesn't make
me terribly confident that they'll manage to get it right... but then again, the web is such a
mess security-wise that I'm not sure it's likely to make things much worse.
Posted Jul 5, 2008 8:57 UTC (Sat) by nix (subscriber, #2304)
Well, that looks less horrible than, say, MS's zones: but I can just feel
the edge cases waiting to be missed, leading to XHRs being allowed in
cases where they shouldn't be...
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds