On Mon, 23 Feb 2009 14:23:40 +0100, Giorgio Maone <g.ma...@informaction.com>
wrote:
On Fri, 20 Feb 2009 19:36:47 +0100, Bil Corry <b...@corry.biz> wrote:
Sigbjørn Vik wrote on 2/20/2009 8:46 AM:
One proposed way of doing this would be a single header, of the form:
x-cross-domain-options: deny=frame,post,auth; AllowSameOrigin;
allow=*.opera.com,example.net;
This incorporates the idea from the IE team, and extends on it.
Have you taken a look at ABE?
http://hackademix.net/wp-content/uploads/2008/12/abe_rules_03.pdf
I am not quite certain what you are referring to, the document is a
ruleset for how to express what is allowed and disallowed. Do you mean
that clients should be using a URL list, or that servers should be
using this particular grammar to decide which headers to send with
their URLs?
For a domain wide policy file a document like this might work well
though.
ABE is meant to be configured in 3 ways:
1. With user-provided rules, deployed directly client-side
2. With community-provided rules, downloaded periodically from a
trusted repository
3. As a site-wide policy deployed on the server side in a single
file, much like crossdomain.xml
See http://hackademix.net/2008/12/20/introducing-abe/ and especially
this http://hackademix.net/2008/12/20/introducing-abe/#comment-10165
comment about site-provided rules and merging.
Yes, a domain wide policy file might be good to have, but it could not entirely
replace having a header settable for a single resource, not all web authors
have access to the root, so it would have to come as an addition, an optional
replace.
If a domain wide policy file is used, it would make sense to have it in a
format which can be distributed and applied locally, so users can patch web
sites that don't do it themselves. ABE looks like a good candidate for all of
this. A good candidate might also have to be implementable by the server, so
that a server can look at the policy file, and determine which headers to send
for any particular resource, including which resources to send no headers for
at all. Presumably ABE would work for that too.
--
Sigbjørn Vik
Quality Assurance
Opera Software