Gervase Markham wrote:
Darin Fisher wrote:
Backing up a second, I think what we need is a way to grant websites the
ability to control who may access their resources. It'd be ideal if the
browser had a way to ask the server for the list of hosts (or domains)
that are permitted to access it. I don't think this is a new idea as
several specifications have been attempted along these lines. Mozilla
even implements one of them for its SOAP and WSDL implementation.
My idea for that (bit of a one-track mind, me) was a Use-Domain: HTTP
header. The JSON data would be served with "Use-Domain:
www.mydomain.com", and the browser would refuse to give any page not
from that domain access to the data.
You could also use it to prevent image bandwidth stealing.
Gerv
Keep in mind that there is also the problem that the POST request may
have undesirable side-effects. The web app probably needs a request
header from the browser to tell it what domain is sending it data. The
Referer header is not sufficient since the browser will not send a HTTPS
referrer-URI over plaintext.
We need to restrict READs as well as WRITEs when it comes to XSS ;-)
-Darin
