From: Kevin Carhart <kevin@carhart.net>
To: Edbrowse-dev@lists.the-brannons.com
Subject: Re: [Edbrowse-dev] XHR same-domain restriction
Date: Tue, 13 Mar 2018 18:54:52 -0700 (PDT) [thread overview]
Message-ID: <alpine.LRH.2.03.1803131750230.3196@carhart.net> (raw)
In-Reply-To: <20180312125722.GA3901@nautica>
I'm interested in the discussion that followed here. I don't have a
problem with not simply wrapping the fetchHTTP call. It might be a good
idea to address this somehow, but I take Karl's point that circumvention
is only one 'make' away assuming someone knows what make is.
What Dominique is saying about preventing code injection attacks is also
important. I think part of the problem is that we are simultaneously a little like
firefox/chrome/IE and a little like wget/curl, or for that matter, like
'rm' the C program. The author of rm doesn't write rm and then try to protect
you from it, do they? I don't know. Do we have a savvy audience
who can worry about their own caution, or a mass audience who we ought to
protect from bricking their routers??
> I doubt there are restrictions on xhr domains in other browsers.
> If there were such restrictions, one could get around them easily.
I am not saying this hasn't been superceded later on by workarounds, but
it's part of bedrock, early AJAX information that there is a restriction
on the domain, or is supposed to be. W3schools has a lot of outdated
pages and is occasionally ridiculed (there was a site called w3fools
advising not to use it), but here is their basic AJAX
information which I probably "grew up with", or used as a reference in
2007 or 2010: "...For security reasons, modern browsers do not allow
access across domains. This means that both the web page and the XML file
it tries to load, must be located on the same server. The examples on
W3Schools all open XML files located on the W3Schools domain..."
So when I reference it as though it's a fact of life, that's where I'm
getting it from. After that it bifurcates into what kind of audience
you're talking about and what is at stake.
prev parent reply other threads:[~2018-03-14 1:53 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-12 5:09 Kevin Carhart
2018-03-12 6:33 ` Karl Dahlke
2018-03-12 7:17 ` Dominique Martinet
2018-03-12 12:38 ` Karl Dahlke
2018-03-12 12:57 ` Dominique Martinet
2018-03-14 1:54 ` Kevin Carhart [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LRH.2.03.1803131750230.3196@carhart.net \
--to=kevin@carhart.net \
--cc=Edbrowse-dev@lists.the-brannons.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).