Cross-domain Secure Data Access

From RuntimeWiki

Jump to: navigation, search

NOTE: This feature has been moved to the inactive list because latest browsers already are addressing this by implementing either W3C/Access Control or MS's XDomainRequest

Contents

Title

Secure Cross-domain Data Access

Detailed write-up

Description

Though “Same Origin Policy” allows cross-site scripting, it does not allow web applications accessing data on other servers. The current way of accessing cross-domain data typically relies on cross-site scripting (XSS) that has a lot of security concerns.

Why Is This Important?

The next generation of web applications will be much more data intensive. They will want to exchange data with other servers than the originating server. There is no other way of achieving this except for exploiting the above “cross site scripting” loophole. In fact, the so called “Mashup” phenomenon like how people typically embed GoogleMap onto their own web pages relies on this technique, leaving many web applications under significant security risks.

Possible Solutions

  1. JSONRequest, as proposed in reference http://json.org/JSONRequest.html;
  2. Cross-domain Request (XDR), XDomainRequest, built into IE8 (http://www.microsoft.com/windows/products/winfamily/ie/ie8/readiness/DevelopersNew.htm);
  3. W3C Access Control, http://www.w3.org/TR/access-control/

Background material that request this feature

  1. JSONRequest, Douglas Crockford;
  2. How do I make my site 'light up' with Internet Explorer 8, Microsoft;
  3. Cross Domain Data Exchange Using Cascading Style Sheet as Data Carrier, Gideon Lee
  4. Possible Solutions to Web Security Issues (Coach Wei's summary of these few pages)

Discussion

In this section, the contributors should express their opinions about this feature request, such as providing particular technical analysis or describing in prose why this feature is important (or not). It is recommended that each contributor create his own level-3 sub-section (e.g., === Jon Ferraiolo Comments ===).

It is OK for others to insert comments within other people's sections, but as a courtesy please make sure that it is clear which part of the section is original and which section are annotative comments. For example, perhaps annotative comments would be colorized (e.g., enclosed by <span style="color:red">JON: Here is what I think about what you are saying.</span>).

Phase I Voting - Vote for Your Top 5 Features

NOTE: PHASE I VOTING IS NOW OPEN. (2008-04-01) We have now changed the voting procedure. Instead of putting votes on each separate wiki page, we are asking people to cast their Phase I Votes on the following wiki page:


Phase II Voting

More about this later.

Retrieved from "http://www.openajax.org/runtime/wiki/Cross-domain_Secure_Data_Access"
Personal tools