patch: stub implementation of XMLHttpRequest

Maciej Stachowiak mjs at apple.com
Tue Feb 24 05:03:54 CET 2004 

On Feb 23, 2004, at 7:31 PM, Dirk Mueller wrote:

> On Tuesday 24 February 2004 04:06, Maciej Stachowiak wrote:
>
>> Stupidity on my part. I will be merging them soon. I'll make sure to
>> send a patch when I do it.
>
> Ok, will you go for "toHTML" or for "toString"? To me the latter 
> actually
> sounds better, I never liked the "toHTML" implementation in the 
> non-HTML
> NodeImpls :)

I like toString better too, for two reasons. First of all, it applies 
to XML as well as HTML. Second, an HTML DOM is a representation of HTML 
just as much as an HTML string is, so toHTML doesn't sound like a 
meaningful operation.

So since you agree, I'll go with toString.


>> It would be good to be consistent about this, although already by
>> default cookies are separate for different ports on the same host,
>> while XSS allows access.
>
> do you know for sure that we *have to* allow XSS access for the 
> "different
> ports, same host" case?

No, I don't know for sure. Maybe we shouldn't. I can test this.

> also, it would be interesting to test if browsers allow requests to 
> different
> hosts if the domain of the document is adjusted first. did you test 
> that?

I'm not sure what you mean. How would you adjust the domain of the 
document?

> Hmm, orkut doesn't let me register, so I can't test the code on 
> something
> realworld.

Well it's invite-only. Do you know anyone who is a member? I think a 
number of KDE hackers are on it. If not, I can send you an invite.

> However, I have to think a bit more about the security implications of
> granting Javascript access to the http level. This is quite grave..

It does seem risky. However, I believe the "same domain" policy makes 
it not much more dangerous than the ability to document.write() an 
invisible IFRAME.

> Any ideas on what we have to _deny_ ?  I don't have a good feeling to 
> commit
> the code without some serious security testing.

Do you mean, specific request contents that should be denied, besides 
just restricting what URLs can be accessed?

Regards,
Maciej

More information about the Khtml-devel mailing list