On Sat, May 28, 2011 at 9:02 AM, Chris Weber <[email protected]> wrote: > Some minor suggestions on section "5.2. Network Access". > > "Access to network resources varies depending on whether the resources > are in the same origin as the document attempting to access them. > > Generally, reading information from another origin is forbidden." > > Based on the generality of the content that is allowed - images, script, > style sheets, it almost seems that the above sentence could be reversed to > say that "Generally, reading information from another origin is allowed." > Otherwise, you could further demonstrate some of the cases where it is > generally forbidden, such as with XmlHttpRequest.
The general case is that it is forbidden. It's only in the enumerated special cases that it is allowed. The number of enumerated cases isn't related to what happens in the general case. > "However, a document is permitted use some kinds of resources > retrieved from other origins. For example, a document is permitted > to execute script, render images, and apply style sheets from any > origin. Likewise, a document can display a document from another > origin in a frame." > > The notion of displaying a document in a frame may be misleading in the > context of this paragraph, given that the other examples grant full access > to the creator document's DOM, while the document in the frame does not. That's not accurate. Rendering an image from another origin does not grant fully access to the creator document's DOM, nor does applying style sheets (in modern browsers). > "Generally, sending information to another origin is permitted. > However, sending information over the network in arbitrary formats is > dangerous. For this reason, user agents restrict documents to > sending information using particular protocols, such as in an HTTP > request without custom headers." > > I'm feeling a bit hungry here, can you provide some more food for thought? > Some simple examples may help. I'm thinking of HTML's postMessage > interface and HTML forms. I added a sentence about the recent issues with WebSockets expanding the allowable set of things an origin can send. Thanks! Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
