Jon Ferraiolo wrote:
<jonas>
I don't understand at all what you are proposing. If we allow the client
to always POST cross domain the damage is already done and we have lost
already....JSONRequest always allows cross-site POSTs, I.e. it always
allows the
thing we are trying to prevent.
</jonas>
JSONRequest requires that a server make explicit changes in order to
opt-in to enabling cross-site requests (GET or POST). From the
JSONRequest spec (http://www.json.org/JSONRequest.html):
3. Reponses will be rejected unless they contain a JSONRequest content
type. This makes it impossible to use JSONRequest to obtain data from
insecure legacy servers.
Yes, JSONRequest makes the assumption that POSTing data cross site is
safe as long as the posted data is of type application/jsonrequest. This
is an assumption that I personally as well as mozilla feel very
uncomfortable with.
This become even more of a problem if you want to scale up the
JSONRequest spec to support other data types than JSON objects
(something which is in the AC requirements).
That said, if you really think that it is possible to create a security
model based on JSONRequest which supports the requirements listed in the
AC spec, I look forward to such a proposal.
<jonas>
We can't make existing already deployed servers to start
dealing with this new spec.
</jonas>
I'm not sure what you are asking. Are you saying that we can't require
existing servers to make changes in order to support cross-site
requests? But AC also requires servers to make changes in order to
support at least some of its features.
I simply meant that we can't create a spec which makes currently
deployed servers suddenly vulnerable. I.e. we have to use an opt-in
mechanism rather than an opt-out one.
/ Jonas
