patch: stub implementation of XMLHttpRequest
Dirk Mueller
mueller at kde.org
Tue Feb 24 06:01:02 CET 2004
On Tuesday 24 February 2004 05:03, Maciej Stachowiak wrote:
> So since you agree, I'll go with toString.
please post the patch when you finished it, thanks.
> > do you know for sure that we *have to* allow XSS access for the
> > "different
> > ports, same host" case?
> No, I don't know for sure. Maybe we shouldn't. I can test this.
Would be great :)
>
> > hosts if the domain of the document is adjusted first. did you test
> > that?
> I'm not sure what you mean. How would you adjust the domain of the
> document?
via Javascript. Assuming that the script is currently loaded from the document
in the domain "www.kde.org", you can do this:
document.domain="bugs.kde.org";
and then it would be interesting if XMLHttpRequest allows access to
bugs.kde.org
> It does seem risky. However, I believe the "same domain" policy makes
> it not much more dangerous than the ability to document.write() an
> invisible IFRAME.
Well, if we do all correct, then there is no additonal risk, I agree. However,
if there is a bug somewhere..
> > the code without some serious security testing.
> Do you mean, specific request contents that should be denied, besides
> just restricting what URLs can be accessed?
Yes, exactly, if there is anything more than restricting the access method
(get, put, head etc) and the url.
Dirk
More information about the Khtml-devel
mailing list