[OpenAjaxSecurity] Fw: IE8 Ajax features announced

Jon Ferraiolo jferrai at us.ibm.com
Thu Mar 6 12:10:54 PST 2008


My feedback: I like the IE8 approach. In fact, I attempted to convince the
W3C that an approach like this was the best way to go. (But I expressed
this opinion mostly in terms of JSONRequest or something similar was a
better approach.)

Regarding the lack of flexibility with the IE8 (e.g., you can't set headers
and cookies don't get sent), if people need more flexibility, they can use
an IFRAME to talk to the other site, which allows full XHR within that
IFRAME, and then communicate between the two frames using the new
postMessage() feature that is also in IE8.

Jon




                                                                           
             Bertrand Le Roy                                               
             <Bertrand.Le.Roy@                                             
             microsoft.com>                                             To 
             Sent by:                  OpenAjax Alliance Security Task     
             security-bounces@         Force <security at openajax.org>       
             openajax.org                                               cc 
                                                                           
                                                                   Subject 
             03/06/2008 11:49          Re: [OpenAjaxSecurity] Fw: IE8 Ajax 
             AM                        features announced                  
                                                                           
                                                                           
             Please respond to                                             
             OpenAjax Alliance                                             
               Security Task                                               
                   Force                                                   
             <security at openaja                                             
                  x.org>                                                   
                                                                           
                                                                           




Yes, last time I spoke with them about the w3c spec they said that they
wanted a much smaller attack surface, which seems to be what they went for
in this implementation. Whether this makes it good enough for the common
scenarios or if this is insufficient would probably be interesting feedback
for the IE team. My personal opinion is that it’s good enough and should
put to rest the security-anxiousness but it would be great to hear what
others think.

Bertrand

From: security-bounces at openajax.org [mailto:security-bounces at openajax.org]
On Behalf Of Jon Ferraiolo
Sent: Thursday, March 06, 2008 10:07 AM
To: security at openajax.org
Subject: [OpenAjaxSecurity] Fw: IE8 Ajax features announced



I am forwarding this URL which Bertrand passed our way. Microsoft has
announced some of the features that will be included in IE8. Given previous
the discussion on this list about W3C Access Conrol, I wanted to make sure
people noticed the IE8 cross-domain request feature.

It is quite interesting how minimalistic the IE8 cross-domain request
feature is. It looks to me like the feature does not send referrer URL,
does not allow setting custom HTTP headers and does not send cookies. If I
am correct on these issues, then if you want to send information such as
user credentials with the cross-domain request, those credentials would
have to be included in a POST payload.

Jon


------------------------


Bertrand says:

The Ajax section may be of interest to the group, in particular the
Cross-document Request and Cross-document Messaging parts.
http://www.microsoft.com/windows/products/winfamily/ie/ie8/readiness/DevelopersNew.htm
_______________________________________________
security mailing list
security at openajax.org
http://openajax.org/mailman/listinfo/security


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20080306/1f76e28d/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20080306/1f76e28d/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic09856.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20080306/1f76e28d/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20080306/1f76e28d/attachment-0002.gif 


More information about the security mailing list