Comments on: Subspace: Enabling trusted cross domain Ajax

By: rektide

rektide — Tue, 29 May 2007 21:56:15 +0000

GOTCHA
ok so this isnt even meant to circumvent cross domain sites in the first place. even if it did, the gotcha is that you cannot use REST unless you can cram all your query parameters into form actions: form target submission is the only way to iframe load (the only way to do cross domain) with a HTTP-Method other than GET. someone for the love of christ tell me i’m wrong cause this sucks. i’d much rather a json interchange format.

cross site security is garbage just in principle. if you want to be secure, dont link to someone elses content and dont go to sites that redirect you to something suspiciously resembling bankofamerica.com. if you want to be insecure and link to someones content, wish to let their site graft itself onto your site, to me it seems blisteringly obvious that the web page should be permitted to do so, along with the risks that carries, and that users should be informed of the connections. users ought be responsible for their browsing environments, and if cross site scripting happens to be part of their browsing environment when they visit your site, so be it, let them beware and let them take whatever hit. i see no reason to forbid things because they are complicated. to me it seems like the web content holding royalty are just afraid of being mashed upon, and have decided to enforce arbitrary ruling that forces XSS to be so bloody gimped out.

greasemonkey just seems so very unnecessary. its just sanctioning for XSS, but with all the 1991-era pain-in-the-ass of downloading and installing.

By: Jordan

Jordan — Tue, 29 May 2007 12:30:46 +0000

Since this post is being increasing linked from elsewhere, I ought to rectify my previous misunderstanding and say that this technique is indeed novel and not used by Dojo as of current.

By: Hans Blink

Hans Blink — Tue, 15 May 2007 08:09:10 +0000

Where is the prototype source?

By: mikael bergkvist

mikael bergkvist — Mon, 14 May 2007 23:37:55 +0000

I think there should be a an organisation that one could go through, that validates data sources.

Ex: src=”http://www.validate.org?return=www.mysite.com/some_data.js”

If the link isn’t validated by the service, I would get void() in return, otherwise, I’d get some code/data from mysite.com..

By: Collin Jackson

Collin Jackson — Mon, 14 May 2007 17:05:02 +0000

James and Mike – The idea is to combine cross-*sub*domain communication with dynamic script insertion to get true cross-*domain* communication, but in a controlled way that avoids the excessive trust requirements of dynamic script insertion.

Brian – You’re right, Subspace isn’t very back button friendly, and is best suited for single page applications.

By: Mike

Mike — Mon, 14 May 2007 16:56:01 +0000

You can also use Dynamic Script Insertion to tackle this issue. It is far simpler and much more robust. See my website link above for more information.

By: Jordan

Jordan — Mon, 14 May 2007 15:05:43 +0000

Dojo has had a module that does that for some time now. It’s not a novel idea.

By: Brian

Brian — Mon, 14 May 2007 14:54:14 +0000

This is an interesting paper. However the use of iframes will likely interfere with the history and make proper back/forward button usage difficult or impossible.

By: James

James — Mon, 14 May 2007 14:52:16 +0000

It would have been better if they named this Secure *Sub*-Domain Communciation for Web Mashups, since only communication with a subdomain is allowed (from http://www.mashup.com to webservice.mashup.com, not from http://www.mashup.com to webservice.other.com). It seems like a refinement of the standard document.domain type of iframe communication. But the document does have some nice summary information in there.