patch: stub implementation of XMLHttpRequest
Dirk Mueller
mueller at kde.org
Tue Feb 24 04:31:30 CET 2004
On Tuesday 24 February 2004 04:06, Maciej Stachowiak wrote:
> Stupidity on my part. I will be merging them soon. I'll make sure to
> send a patch when I do it.
Ok, will you go for "toHTML" or for "toString"? To me the latter actually
sounds better, I never liked the "toHTML" implementation in the non-HTML
NodeImpls :)
> It would be good to be consistent about this, although already by
> default cookies are separate for different ports on the same host,
> while XSS allows access.
do you know for sure that we *have to* allow XSS access for the "different
ports, same host" case?
also, it would be interesting to test if browsers allow requests to different
hosts if the domain of the document is adjusted first. did you test that?
Hmm, orkut doesn't let me register, so I can't test the code on something
realworld.
However, I have to think a bit more about the security implications of
granting Javascript access to the http level. This is quite grave..
Any ideas on what we have to _deny_ ? I don't have a good feeling to commit
the code without some serious security testing.
Dirk
More information about the Khtml-devel
mailing list