XHR redirects
in [JavaScript]
|
From: Hans-Georg Michna on 26 Feb 2010 12:59 On Fri, 26 Feb 2010 07:24:53 -0800 (PST), Jorge wrote: >Denying access to the response might be a good thing, yes, but, by >then it might be too late already. I think that the 2nd request -to >the redirected domain/resource- should -probably- be discarded -never >made- by the XHR object... �? Or maybe not, that's why I'm asking. If that always worked, it would make Ajax proxies (such as the proxy demonstrated at http://winhlp.com/node/699 ) superfluous and would be quite a bit faster, simpler, and easier on the server. However, I suspect that it doesn't work reliably. Haven't tested it though. Hans-Georg
From: Richard Cornford on 26 Feb 2010 12:59 On Feb 26, 5:26 pm, Jorge wrote: > On Feb 26, 6:06 pm, Richard Cornford wrote: <snip> >> If an XML HTTP request object was going to refuse to >> automatically redirect then it should present the status >> 30X response to the calling code, and let it work out what >> to do next. > > ISTM -looking at it into w3.org- that it will throw either > a security err or a network err: As I said, attempting a cross-domain redirect is asking for trouble. > <quote> <snip> If you quote something you really should say what it is you are quoting. Citing "w3.org" doesn't quite achieve that. >>>> Cookies should follow the rules for cookies. Which cookies >>>> go with which requests depends on their (actual or implied) >>>> Path and Domain parameters. > >>> But you know that there are circumstances under which existing >>> cookies are *not* sent. > >> That is what the rules for cookies say is possible. So your >> point is? > > That it might have been that this were another of these > circumstances. That what might be "another of these circumstances"? >>>> However, it would be reckless to be sending instructions to >>>> be acted upon (especially in a financial context) in a cookie. > >>> I was thinking about session ID cookies. > >> If ever there was a type of cookie that should be restricted >> to a single domain it is a session ID cookie. > > Exactly. Therefore my worry. What worry? If the cookie is set with no Domain the result is that it is restricted to the domain that sets the cookie, and it will not be sent with any requests to other domains. If a Domain is specified then the UA should not send that cookie to any other domain. Richard.
From: Richard Cornford on 26 Feb 2010 13:15 On Feb 26, 5:58 pm, Scott Sauyet wrote: > On Feb 26, 12:40 pm, Richard Cornford wrote: >> On Feb 26, 5:31 pm, Stefan Weiss wrote: >>> I didn't try any other browsers, but I would be very surprised >>> if any of them (the more recent ones, at least) could be tricked >>> into sending an XHR which violates the browser's security >>> policies by something as simple as an HTTP redirect. > >> Why not? For a very long time it has been possible to 'trick' a >> browser into making a request to another domain by setting >> the - src - of a - new Image(); -. Making the request or not >> is not that important so long as access to the result is denied. > > ... and if the request is actually idempotent. Alright, what if the request is actually idempotent? > I know GET and HEAD requests are supposed to be, but we all > remember the havoc caused with many sites when some > prefetching was released (was it Google Web Accelerator?) I have absolutely no idea what you are talking about. Richard.
From: Jorge on 26 Feb 2010 13:46 On Feb 26, 6:59 pm, Richard Cornford <Rich...(a)litotes.demon.co.uk> wrote: > On Feb 26, 5:26 pm, Jorge wrote: > > On Feb 26, 6:06 pm, Richard Cornford wrote: > > >>>> However, it would be reckless to be sending instructions to > >>>> be acted upon (especially in a financial context) in a cookie. > > >>> I was thinking about session ID cookies. > > >> If ever there was a type of cookie that should be restricted > >> to a single domain it is a session ID cookie. > > > Exactly. Therefore my worry. > > What worry? If the cookie is set with no Domain the result is that it > is restricted to the domain that sets the cookie, and it will not be > sent with any requests to other domains. If a Domain is specified then > the UA should not send that cookie to any other domain. This worry: 1.- You login to your bank at bank.com. 2.- Your browser has a session cookie for bank.com 3.- You open a new window. 4.- You enter someOtherSite.com. 5.- the page from someOtherSite.com does an XHR to someOtherSite.com 6.- the response to that XHR is a redirect to bank.com 7.- as a consequence of step#6, another request is made to bank.com from the someOtherSite.com page 8.- Does the request at step 7 carry the cookie of step 2 (that's my worry) ? -- Jorge.
From: Jorge on 26 Feb 2010 13:49
On Feb 26, 6:59 pm, Richard Cornford <Rich...(a)litotes.demon.co.uk> wrote: > On Feb 26, 5:26 pm, Jorge wrote: > > > On Feb 26, 6:06 pm, Richard Cornford wrote: > <snip> > >> If an XML HTTP request object was going to refuse to > >> automatically redirect then it should present the status > >> 30X response to the calling code, and let it work out what > >> to do next. > > > ISTM -looking at it into w3.org- that it will throw either > > a security err or a network err: > > As I said, attempting a cross-domain redirect is asking for trouble. You said as well: <quote> I suspect that you mean; will the XML HTTP request system automatically act on the redirection and return the response from that alternative source. To which the answer is that mostly they will. </quote> -- Jorge. |