You are correct that there are a number of other means in information can be coopted. So trying to limit access via the originating site would essentially be useless.
Thanks Mike Chack O: +1 408.526.4639 M: +1 408.504.6594 [email protected] -----Original Message----- From: Anne van Kesteren [mailto:[email protected]] Sent: Tuesday, February 17, 2009 3:23 AM To: Mike Chack (mchack); [email protected] Subject: Re: [cors] Possible need for a "Destination" Header On Mon, 16 Feb 2009 18:14:10 +0100, Mike Chack (mchack) <[email protected]> wrote: > Unless I am missing something, there seems to be a security hole with > the current proposal. If a site has been hacked then malicous code can > send content to any site that abides by the access control policies. It > is up to the destination site to accept the request, and in the case of > a nefarious destination, would most certainly do so. Wouldn't it also > make sense to have some policy control from the origination site that > would limit where requests could be made. This could be done in the form > of a "Desitnation" Header that would give more control over where > XmlHttp requests could be directed. I'm not sure I follow. If a site has been hacked, why would it still control the "Destination" header? Note that if a site is hacked and wants to distribute data to evilpartner.com it already has lots of ways to do that e.g. through <img src>, <form action>, <iframe src>, etc. -- Anne van Kesteren http://annevankesteren.nl/
