Thursday, November 24th, 2005
He talks about the areas of concern:
- Resource Theft: Resource theft can happen when Jack Innocent visits the website of Evil Bob. Evil Bob has written some XHR code that repeatedly requests compute expensive pages from the site of Victim Inc. Thus Evil Bob gets to use Jack Innocent to do his nasty work.
- Cross Site Scripting: Should we ban cross-domain XHR because of XSS attacks? I’m not sure, but be sure of this: there are plenty of ways to allow XSS attacks on your site without cross-domain XHR.
- Slow 3rd Party Web Sites: If you design your website to use thousands of small requests then you are asking for trouble – so don’t do it! Likewise if you design your website to depend on a slow resource then expect your website to be slow. Eric is right in saying that proxy caching is a great solution to this problem, but let’s not ban cross-domain XHR because people can do silly things with it.
I am personally waiting for trusted domains. It would be great to be able to say “mydomain.com trusts yourdomain.com and hisdomain.com”.
The server side could have a say in the matter too. If you want to offer your web service to the world to do whatever they want, then you should be able to say “let anyone talk to me”
What do you all think?
Should we open this all up?
Posted by Dion Almaer at 2:01 am