patch: stub implementation of XMLHttpRequest
Maciej Stachowiak
mjs at apple.com
Wed Feb 25 06:14:50 CET 2004
On Feb 24, 2004, at 5:16 PM, Dirk Mueller wrote:
> On Tuesday 24 February 2004 23:21, Maciej Stachowiak wrote:
>
>> "www.kde.org" to "kde.org". So perhaps it's not that much of a risk,
>> but yes, it will affect XMLHttpRequest just like it affects XSS.
>
> euhm.. now you're implying that it is actually applied to
> XMLHttpRequest. The
> current implementation in Safari, however does not do that. Its a
> completely
> separate and incompatible check to the XSS one.
Ah, you're right. We look at the document's URL, not the domain, which
is a stricter check. I think it's good for XMLHttpRequest to have the
stricter check, and I am not sure why you are allowed to change the
domain from JS for purposes of XSS checking.
> So can I interpret from that that you changed the XSS check
> implementation?
No, and I don't think I'm going to. You should not be able to access
documents from another server with XMLHttpRequest, IMO.
>
>>> (get, put, head etc) and the url.
>> Nope, no such thing. You can put anything in the headers or body.
>
> Sure, but thats not a secure implementation.
Well I am still not 100% convinced (offline discussion) but I'll test.
I don't think other implementations do any checking of the headers or
body.
Regards,
Maciej
More information about the Khtml-devel
mailing list