Confirm
716
edits
Changes
no edit summary
== Details ==
There is are currently no finished spec two draft specs from w3c for how this should work. The latest signaling for when a document is accessible is spec'ed in the access-control draft spec is available here [http://lists.w3.org/Archives/Public/public-appformats/2006Oct/att-0001/AC-2006-10-02-Porter.html]. This states that the site can insert <?access-control?> processing instructions into XML files that says which sites can access the file. It also allows for http-headers to be added to allow access to be controlled to any file type. The PI contains lists of URL patterns that describe which URLs can access the file. These patterns can contain wildcards, but follow strict parsing rules rather than being general URLs. Additionally [http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012]is a draft spec for how XMLHttpRequest should interact with the access-control spec. This spec describes some headers that should be included when making a cross site request. (Though I personally wonder if this part should be moved into the access-control spec.) It also describes how to deal with http methods other than GET and POST. == Suggested Implementation ==
== Security worries ==
* The first thing that worries me is that you can make POST submissions to any url and include XML data as payload. It is already possible to make POST submissions to any url, but the only possible payload is plain/text encoded form data or multipart/mixed encoded files and form data. With Cross-Site XMLHttpRequest it would be possible to send XML data. In particular there is worry that this would make it possible to do SOAP requests to any server. Note that while the page would be unable to access the data returned by the SOAP request, that isn't necessary if the request itself is "transfer all users money to account 12345-67"
* Should we try to follow these specs even when accessing files on the same domain? From the sites point of view they can't rely on that anyway since all browsers don't support the access-control spec (and old versions never will).
<references/>
