[OpenAjaxSecurity] Fw: IE8 Ajax features announced

Bertrand Le Roy Bertrand.Le.Roy at microsoft.com
Thu Mar 6 11:49:59 PST 2008

Yes, last time I spoke with them about the w3c spec they said that they wanted a much smaller attack surface, which seems to be what they went for in this implementation. Whether this makes it good enough for the common scenarios or if this is insufficient would probably be interesting feedback for the IE team. My personal opinion is that it's good enough and should put to rest the security-anxiousness but it would be great to hear what others think.


From: security-bounces at openajax.org [mailto:security-bounces at openajax.org] On Behalf Of Jon Ferraiolo
Sent: Thursday, March 06, 2008 10:07 AM
To: security at openajax.org
Subject: [OpenAjaxSecurity] Fw: IE8 Ajax features announced

I am forwarding this URL which Bertrand passed our way. Microsoft has announced some of the features that will be included in IE8. Given previous the discussion on this list about W3C Access Conrol, I wanted to make sure people noticed the IE8 cross-domain request feature.

It is quite interesting how minimalistic the IE8 cross-domain request feature is. It looks to me like the feature does not send referrer URL, does not allow setting custom HTTP headers and does not send cookies. If I am correct on these issues, then if you want to send information such as user credentials with the cross-domain request, those credentials would have to be included in a POST payload.



Bertrand says:

The Ajax section may be of interest to the group, in particular the Cross-document Request and Cross-document Messaging parts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20080306/72747132/attachment.html 

More information about the security mailing list