On Mon, 23 Feb 2009 14:23:40 +0100, Giorgio Maone <g.ma...@informaction.com> 
wrote:

On Fri, 20 Feb 2009 19:36:47 +0100, Bil Corry <b...@corry.biz> wrote:

Sigbjørn Vik wrote on 2/20/2009 8:46 AM:
One proposed way of doing this would be a single header, of the form:
x-cross-domain-options: deny=frame,post,auth; AllowSameOrigin;
allow=*.opera.com,example.net;
This incorporates the idea from the IE team, and extends on it.

Have you taken a look at ABE?

    http://hackademix.net/wp-content/uploads/2008/12/abe_rules_03.pdf

I am not quite certain what you are referring to, the document is a
ruleset for how to express what is allowed and disallowed. Do you mean
that clients should be using a URL list, or that servers should be
using this particular grammar to decide which headers to send with
their URLs?
For a domain wide policy file a document like this might work well
though.
ABE is meant to be configured in 3 ways:

   1. With user-provided rules, deployed directly client-side
   2. With community-provided rules, downloaded periodically from a
      trusted repository
   3. As a site-wide policy deployed on the server side in a single
      file, much like crossdomain.xml

See http://hackademix.net/2008/12/20/introducing-abe/ and especially
this http://hackademix.net/2008/12/20/introducing-abe/#comment-10165
comment about site-provided rules and merging.

Yes, a domain wide policy file might be good to have, but it could not entirely 
replace having a header settable for a single resource, not all web authors 
have access to the root, so it would have to come as an addition, an optional 
replace.

If a domain wide policy file is used, it would make sense to have it in a 
format which can be distributed and applied locally, so users can patch web 
sites that don't do it themselves. ABE looks like a good candidate for all of 
this. A good candidate might also have to be implementable by the server, so 
that a server can look at the policy file, and determine which headers to send 
for any particular resource, including which resources to send no headers for 
at all. Presumably ABE would work for that too.

--
Sigbjørn Vik
Quality Assurance
Opera Software


Reply via email to