From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2001:558:fe21:29:69:252:207:34; helo=resqmta-ch2-02v.sys.comcast.net; envelope-from=eklhad@comcast.net; receiver= Received: from resqmta-ch2-02v.sys.comcast.net (resqmta-ch2-02v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:34]) by hurricane.the-brannons.com (Postfix) with ESMTPS id 01B9D77AAF for ; Mon, 12 Mar 2018 05:36:43 -0700 (PDT) Received: from resomta-ch2-18v.sys.comcast.net ([69.252.207.114]) by resqmta-ch2-02v.sys.comcast.net with ESMTP id vMhbedo7f6hGivMiaeDS9U; Mon, 12 Mar 2018 12:38:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20161114; t=1520858300; bh=JGHoqLJQNzO6ky1Lkx3r7en5A6pMBja30RiEl1ynCMI=; h=Received:Received:To:From:Reply-to:Subject:Date:Message-ID: Mime-Version:Content-Type; b=MeIq8/E+3wXIZzpioKS2RUoLf9KmHebA9ikpyW/RiZeOEMQdBXcutt3n4uJ+6IWwl iXIqUpSJvT/yYM+dEZyT+0PE444fpJljbW8qVN/28B9rEgyZjHl1vrIYr8Je4i7S/X 6gbMbb2uxF571ue0DPOapyegayLHskNhx/W72RypkOc4oVi+Fp8/2i5PyGiV3lovI5 ZLIJ1L+Mwz1++sG7WEYsHABNwxAvHdGKu1d/1ecPICla28Bm2k5qCXShkxeP0T4LNC V3EI+Ir720IIV7cGgoF0JBFFZNYKnTNgzAnvEr+I3lQEkJdrF0XE4f4/ZJImWryb8j SVQa5QvK124Mw== Received: from unknown ([IPv6:2601:408:c300:8f09:21e:4fff:fec2:a0f1]) by resomta-ch2-18v.sys.comcast.net with SMTP id vMiZeiWEwYU86vMiZeB6dU; Mon, 12 Mar 2018 12:38:20 +0000 To: Edbrowse-dev@lists.the-brannons.com From: Karl Dahlke Reply-to: Karl Dahlke References: <20180312071732.GA14308@nautica> User-Agent: edbrowse/3.7.2 Date: Mon, 12 Mar 2018 08:38:19 -0400 Message-ID: <20180212083819.eklhad@comcast.net> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4wfEiAFrUu8WTzSiFrB2VzUPthwZL5Vnu9CvWMs1Lqrs0pN/wfWeRFPG+zA/CmpbRHB5wH15cnpUVy7oSOK/0nYdUVKtM8sDp1iwJ1SCD/MQ/kPCnjhKHW ItslJ7qAcfA48LKucgmId8qtl2Xz/D6BkIPDXa7jjoONodtno+k3fAeM Subject: [Edbrowse-dev] XHR same-domain restriction X-BeenThere: edbrowse-dev@lists.the-brannons.com X-Mailman-Version: 2.1.25 Precedence: list List-Id: Edbrowse Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2018 12:36:44 -0000 1. Ok, I may be a little bit slow here. If we restrict xhr, and dynamic frames, that would just slow a trouble maker down, not stop him. The same guy who writes the js writes the html, so he can put in html and then the js can access the html via frames[0].contentDocument.innerHTML A c program can crank out the html dynamically, and make all sorts of frames. If you don't want the user to know you're doing it you can set display=none in css so it's not even visible. That's not as convenient as xhr but it still works. So I don't see the point. > 0 will not block anything (what we do right now) 2. The same guy that writes the js, and the html, also sends out the http headers, so if he wants xhr to access anything then he just sets that http header to 0 and off he goes. It's like we put a lock on our browser for some kind of security, but they can open it with an http key, and everybody knows it. How does that help? 3. If we implement restrictions, we have to do it all, including the http key that unlocks them, because some website might unlock them and expect xhr to work on some other domain, and when it doesn't, then the website doesn't work. 4. The matching rules may not be as simple as "same host" I'm thinking of cookies here. If you set a cookie on bar.com/a/b, that cookie remains valid for foo.bar.com/a/b, bar.com/a/b/c, and foo.bar.com/a/b/c. I'm not sure the details, Chris wrote it, I'd have to go back and read the code. It seems likely though that xhr restrictions, if they were in force, would be similar. You could go ahead and fetch foo.bar.com if you were currently on bar.com. 5. I'm not trying to be rude or ungrateful here, I just don't want to do something that makes things worse. I appreciate all the research you are doing. As for experimenting with firefox to see what it does, we should do a lot more of that. I mean that should be our baseline any time we're not sure of how something works. I've written a lot of css with various side effects, not entirely sure that I'm doing it write. Karl Dahlke