Speaking of securing the filesystem and following up on Dominique's message from a few days ago, do we want to implement the restriction that XHR is only allowed to load pages from the domain that you are currently on? If so, is this a workable phrasing to make the test? Assuming an xhr object which I am referencing as 'this', this.url is a string. So I turn it into our URL class in order to easily grab and test the host.

if (new URL(this.url).host == window.location.host)
allow fetchHTTP to run
} else {
prevent fetchHTTP from running
set this.aborted = true
throw a new error with a message

Here's a startwindow that makes this change if we want to do this.

Tested on the dummy page http://carhart.net/~kevin/badxhr.html

Without the change, xhr.responseText gets the contents of http://pizza.com
With the change, it refuses to load http://pizza.com from carhart.net

Edbrowse-dev mailing list

Reply via email to