Some minor suggestions on section "5.2. Network Access".
"Access to network resources varies depending on whether the resources
are in the same origin as the document attempting to access them.
Generally, reading information from another origin is forbidden."
Based on the generality of the content that is allowed - images, script,
style sheets, it almost seems that the above sentence could be reversed
to say that "Generally, reading information from another origin is
allowed." Otherwise, you could further demonstrate some of the cases
where it is generally forbidden, such as with XmlHttpRequest.
"However, a document is permitted use some kinds of resources
retrieved from other origins. For example, a document is permitted
to execute script, render images, and apply style sheets from any
origin. Likewise, a document can display a document from another
origin in a frame."
The notion of displaying a document in a frame may be misleading in the
context of this paragraph, given that the other examples grant full
access to the creator document's DOM, while the document in the frame
does not.
"Generally, sending information to another origin is permitted.
However, sending information over the network in arbitrary formats is
dangerous. For this reason, user agents restrict documents to
sending information using particular protocols, such as in an HTTP
request without custom headers."
I'm feeling a bit hungry here, can you provide some more food for
thought? Some simple examples may help. I'm thinking of HTML's
postMessage interface and HTML forms.
Best regards,
Chris Weber
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
