Hi,
I've been thinking a lot about same-origin policy recently. I understand
the protection it provides when it comes to cross-frame communication,
but I'm having a hard time understanding what it protects from when it
comes to cross-origin XHR.
Over the years, web sites have moved to web apps and to just apps. These
apps are client applications able to download content from different
origin and mashup content. Interestingly, the notion of origin does not
apply to these apps. Basically, being installed as independent pieces of
software, rather than from loaded from a particular source in a web
browser, they are origin-free. This already applied to other client
applications such as crawlers.
To summurize, the same application (if written in JS for instance) could
perform cross-domain XHR if installed as stand-alone, but cannot if
running within a web browser (which granted it an origin and applied
same-origin restrictions).
Could someone explain how running in a web browser justify such a
difference? For instance, could someone explain a threat particular to
cross-origin XHR in web browser?
Thanks,
David
- [XHR][XHR2] Same-origin policy protection David Bruant
-