[OpenAjaxSecurity] Fw: IE8 Ajax features announced
Jon Ferraiolo
jferrai at us.ibm.com
Thu Mar 6 12:10:54 PST 2008
My feedback: I like the IE8 approach. In fact, I attempted to convince the
W3C that an approach like this was the best way to go. (But I expressed
this opinion mostly in terms of JSONRequest or something similar was a
better approach.)
Regarding the lack of flexibility with the IE8 (e.g., you can't set headers
and cookies don't get sent), if people need more flexibility, they can use
an IFRAME to talk to the other site, which allows full XHR within that
IFRAME, and then communicate between the two frames using the new
postMessage() feature that is also in IE8.
Jon
Bertrand Le Roy
<Bertrand.Le.Roy@
microsoft.com> To
Sent by: OpenAjax Alliance Security Task
security-bounces@ Force <security at openajax.org>
openajax.org cc
Subject
03/06/2008 11:49 Re: [OpenAjaxSecurity] Fw: IE8 Ajax
AM features announced
Please respond to
OpenAjax Alliance
Security Task
Force
<security at openaja
x.org>
Yes, last time I spoke with them about the w3c spec they said that they
wanted a much smaller attack surface, which seems to be what they went for
in this implementation. Whether this makes it good enough for the common
scenarios or if this is insufficient would probably be interesting feedback
for the IE team. My personal opinion is that it’s good enough and should
put to rest the security-anxiousness but it would be great to hear what
others think.
Bertrand
From: security-bounces at openajax.org [mailto:security-bounces at openajax.org]
On Behalf Of Jon Ferraiolo
Sent: Thursday, March 06, 2008 10:07 AM
To: security at openajax.org
Subject: [OpenAjaxSecurity] Fw: IE8 Ajax features announced
I am forwarding this URL which Bertrand passed our way. Microsoft has
announced some of the features that will be included in IE8. Given previous
the discussion on this list about W3C Access Conrol, I wanted to make sure
people noticed the IE8 cross-domain request feature.
It is quite interesting how minimalistic the IE8 cross-domain request
feature is. It looks to me like the feature does not send referrer URL,
does not allow setting custom HTTP headers and does not send cookies. If I
am correct on these issues, then if you want to send information such as
user credentials with the cross-domain request, those credentials would
have to be included in a POST payload.
Jon
------------------------
Bertrand says:
The Ajax section may be of interest to the group, in particular the
Cross-document Request and Cross-document Messaging parts.
http://www.microsoft.com/windows/products/winfamily/ie/ie8/readiness/DevelopersNew.htm
_______________________________________________
security mailing list
security at openajax.org
http://openajax.org/mailman/listinfo/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20080306/1f76e28d/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20080306/1f76e28d/attachment.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic09856.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20080306/1f76e28d/attachment-0001.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20080306/1f76e28d/attachment-0002.gif
More information about the security
mailing list