Re: XHR and sandboxed iframes

On Thu, 18 Jun 2009 01:22:24 +0200, Mark S. Miller wrote: On Wed, Jun 17, 2009 at 3:35 PM, Ian Hickson wrote: then it will work the same as for any other cross-origin situation, which I believe means "it depends on the credentials flag", but I can't see where that is initialised so I don't kn

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Fri, 26 Jun 2009, Tyler Close wrote: > > > > I don't understand why photo.example.com would trust the identifier > > from printer.example.net if the latter could be in the same namespace > > as the namespace photo.example.com uses for its own data. > > Are you saying the two web-apps should n

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

Response inline below, so keep scrolling... On Fri, Jun 26, 2009 at 3:41 PM, Ian Hickson wrote: > On Fri, 26 Jun 2009, Tyler Close wrote: >> >> Consider two web-applications: photo.example.com, a photo manager; and >> printer.example.net, a photo printer. Both of these web-apps use storage >> prov

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Fri, 26 Jun 2009, Tyler Close wrote: > > Consider two web-applications: photo.example.com, a photo manager; and > printer.example.net, a photo printer. Both of these web-apps use storage > provided by storage.example.org. We're going to print a photo stored at: >

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Thu, Jun 18, 2009 at 12:32 AM, Ian Hickson wrote: > On Wed, 17 Jun 2009, Mark S. Miller wrote: >> > >> > I don't really understand what we're trying to prevent here. >> >> Confused deputies such as XSRF problems. Original paper is at < >> http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html>. It

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, 17 Jun 2009, Mark S. Miller wrote: > > > > I don't really understand what we're trying to prevent here. > > Confused deputies such as XSRF problems. Original paper is at < > http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html>. It's well worth > rereading. Much deeper than it at first

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, Jun 17, 2009 at 5:32 PM, Adam Barth wrote: > I know, but you do appreciate the irony in citing that email in a > discussion of how to mitigate CSRF. > ;)

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, Jun 17, 2009 at 5:16 PM, Mark S. Miller wrote: > On Wed, Jun 17, 2009 at 5:09 PM, Adam Barth wrote: >> On Wed, Jun 17, 2009 at 5:02 PM, Mark S. Miller wrote: >> > Not in this way. At least not according to Roy Fielding (Mr. REST) >> >

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, Jun 17, 2009 at 5:09 PM, Adam Barth wrote: > On Wed, Jun 17, 2009 at 5:02 PM, Mark S. Miller wrote: > > On Wed, Jun 17, 2009 at 4:46 PM, Ian Hickson wrote: > >> But... we want the page talking on behalf of the user. That's the point > >> of a browser. > > > > Not in this way. At least no

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, Jun 17, 2009 at 5:02 PM, Mark S. Miller wrote: > On Wed, Jun 17, 2009 at 4:46 PM, Ian Hickson wrote: >> But... we want the page talking on behalf of the user. That's the point >> of a browser. > > Not in this way. At least not according to Roy Fielding (Mr. REST) >

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, Jun 17, 2009 at 4:46 PM, Ian Hickson wrote: > But... we want the page talking on behalf of the user. That's the point > of a browser. Not in this way. At least not according to Roy Fielding (Mr. REST) < http://lists.w3.org/Archives/Public/ietf-http-wg/2009JanMar/0037.html>. > I don't

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, 17 Jun 2009, Mark S. Miller wrote: > On Wed, Jun 17, 2009 at 4:32 PM, Ian Hickson wrote: > > On Wed, 17 Jun 2009, Mark S. Miller wrote: > > > > > >> > > > > > >> If it does transmit any of these currently, are there any > > > > > >> objections to revising the spec so that it doesn't? > >

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, Jun 17, 2009 at 4:32 PM, Ian Hickson wrote: > On Wed, 17 Jun 2009, Mark S. Miller wrote: > > > > >> > > > > >> If it does transmit any of these currently, are there any > > > > >> objections to revising the spec so that it doesn't? > > > > > > Why? > > > > So that the containing page can

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, 17 Jun 2009, Mark S. Miller wrote: > > > >> > > > >> If it does transmit any of these currently, are there any > > > >> objections to revising the spec so that it doesn't? > > > > Why? > > So that the containing page can use such a credential removing service > to allow sanitized content

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, Jun 17, 2009 at 3:35 PM, Ian Hickson wrote: > On Wed, 17 Jun 2009, Mark S. Miller wrote: > > >> > > >> Does an xhr from a sandboxed unique origin iframe carry any > > >> credentials in the sense in which we've been using in this thread: > > >> * HTTP auth info > > >> * cookies (I think th

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, 17 Jun 2009, Mark S. Miller wrote: > >> > >> Does an xhr from a sandboxed unique origin iframe carry any > >> credentials in the sense in which we've been using in this thread: > >> * HTTP auth info > >> * cookies (I think the text implied not, but I'd like to check.) > >> * client-side ce

Re: XHR and sandboxed iframes

On Wed, 17 Jun 2009 22:43:07 +0200, Mark S. Miller wrote: Doh! Momentary confusion on my part. Thanks for catching this. FWIW, by default cross-origin XMLHttpRequest will not include cookies or HTTP authentication data. The withCredentials flag would have to be set for this and the reques

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, Jun 17, 2009 at 12:25 PM, Ian Hickson wrote: > On Wed, 17 Jun 2009, Mark S. Miller wrote: > > > > > > > > If it does transmit any of these currently, are there any objections > > > > to revising the spec so that it doesn't? > > > > > > Not necessarily. I'd like to know what Ian thinks abo

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

> > Is there no way to make the unique origin sandboxed iframe cookieless? I > > suppose, if not, the containing page could create a fresh unique origin > > sandboxed iframe per request, but seems rather heavy. Would that > > successfully render the resulting network messages cookieless? > > Cookie

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, 17 Jun 2009, Mark S. Miller wrote: > > > > > > If it does transmit any of these currently, are there any objections > > > to revising the spec so that it doesn't? > > > > Not necessarily. I'd like to know what Ian thinks about this. > > Wonderful! Ian? Sorry, I haven't been following thi

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, 17 Jun 2009 15:22:27 +0200, Mark S. Miller wrote: > On Wed, Jun 17, 2009 at 4:29 AM, Anne van Kesteren > wrote: >> * storage >> * same-origin communication channels >> * document.cookie >> * communicating with the document that hosts the if they're >> same-origin > > What about com

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, Jun 17, 2009 at 4:29 AM, Anne van Kesteren wrote: > > HTML5 does not assume CORS at this point I believe. Having said that, the > "sandboxed origin browsing context flag" does more. It forces the content of > the into a unique origin. A number of features are disabled because > of this:

XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, 17 Jun 2009 01:52:36 +0200, Mark S. Miller wrote: > I've now read the relevant portions of < > http://dev.w3.org/html5/spec/Overview.html#the-iframe-element>. Looks > like a > great start on the right direction! I'm genuinely enthused. Some > questions: FWIW, I may be wrong in which c