I think this is true, but it kind of depends on how you look at it. I think sometimes different types of cross-domain operations can get conflated together:
* cross-domain scripting - when code in one domain has the ability to access another domain's code or DOM * cross-domain data importing - transferring data from the context of one domain into another domain (XHR with AC, stylesheets) * cross-domain content loading - hands-off content loading operations such as IFRAME and IMG tags that leave content in their respective security domains--aka embedding In this (conveniently simplified) model, since iframe is a content loading operation, it doesn't need Access Control. Nor am I sure what it would really even mean to apply Access Control to it (would it be permitting data importing or scripting?) Probably the biggest fly in my otherwise nicely-simple ointment is <SCRIPT SRC=>. Is it cross-domain scripting or data importing? It may seem like scripting at first blush, but you may not have even instantiated any code from the source domain, and in the end its not much different than loading data via XHR+AC and then calling eval() on it. So I would argue that even <SCRIPT SRC=> is a data import operation, just one that is (alas) permitted by default and automatically evals everything it loads. So perhaps we are just agreeing insofar that Access Control should never govern cross-domain scripting. Whether it could/should be extended to govern (opt-out of) cross-domain loading/embedding is an interesting one. Thanks, Lucas. Bil Corry wrote: > On Nov 22, 2:03 pm, Lucas Adamski <[EMAIL PROTECTED]> wrote: >> Yes, my understanding is that Access Control is actually intended as a >> generic cross-site server policy mechanism, and XHR is just its first >> implementation. > > Anne confirmed that it's not intended to be XHR-only, however it's not > intended for all types of requests either. He specifically said it > would not work for <iframe> due to cross-site scripting issues. > > > - Bil > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
