Wednesday, November 21st, 2007
The W3C has a new proposal titled Enabling Read Access for Web Resources which defines access control primitives to be used for cross domain XHR.
You can set control via a HTTP header:
- Access-Control: allow < *.example.org> exclude < *.public.example.org>
or an XML processing instruction:
- < ?access-control allow="allow.example.org" deny="deny.example.org"?>
so no cross_domain.xml.
Kris Zyp has written up his thoughts on the proposal:
A number of things to understand about this proposal:
- It does not create any new vulnerabilities with existing servers. Cross domain XHR will always fail with existing servers until they have specifically added headers to define the access control. In other words it doesnâ€™t add new vulnerabilities to the web, rather it allows those who want to add cross site access the ability to due it in a secure manner without hacks like JSONP or fragment identifier messaging.
- Both GET and POST can currently be executed cross site with scripts tags or form submission, so many threats such as CSRF and DOS already exist, the proposal does not introduce them.
- The proposal states that cookies should be removed from cross site requests. This will reduce the incident of cross site request forgery, and forces developers to use more secure explicit forms of authentication maintanence.
- Developers that allow cross site access still must ensure that they are not providing privileged information to sites that should not be accessing the information. Developers that allow POST and other modifying operations should take similiar precautions.
- This provides a fine-grained access control level. When servers define access control headers that allow cross site access, they can specify which web page domains are allowed to access their resources.
Kris also has a comparison with JSON approaches:
The core XMLHttpRequest object itself has also seen a recent new draft.
Posted by Dion Almaer at 6:56 am