On Wed, Dec 9, 2009 at 7:43 AM, Ian Hickson <[email protected]> wrote: > Ok, let's move on to a more complex case. > > Consider a static resource that is protected by a cookie authentication > mechanism. For example, a per-user static feed updated daily on some > server by some automated process. The server is accessible on the public > Web. The administrator of this service has agreements with numerous > trusted sites, let's say a dozen sites, which are allowed to fetch this > file using XHR (assuming the user is already logged in). The sites that > fetch this file do not require authentication (e.g. one could be my portal > page, which is just a static HTML page, without any server-side script). > Other sites must not be allowed access to the file. > > How does one configure the server to handle this case?
Again going with the simplest thing that could possibly work: Each of the per-user static feeds is referenced by a unique unguessable URL of the same format used in the previous example. For example, https://example.com/user123/?s=42tjiyrvnbpoal https://example.com/user456/?s=sdfher34nvl34 ... Again, a GET response from such a URL carries the same-origin opt-out header. The user gives this URL only to those services he wants to access the feed. For example, you could copy this URL into your personal static HTML page that acts as your portal. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
