XML News from Friday, March 20, 2009

The W3C Voice Browser, Web APIs, and Web Application Formats (WAF) Working Groups have posted a new working draft of Cross-Origin Resource Sharing (formerly Access Control for Cross-site Requests). According to the draft, "This document defines a mechanism to enable client-side cross-origin requests. Specifications that want to enable cross-origin requests in an API they define can use the algorithms defined by this specification. If such an API is used on http://example.org resources, a resource on http://hello-world.example can opt in using the mechanism described by this specification (e.g., specifying Access-Control-Allow-Origin: http://example.org as response header), which would allow that resource to be fetched cross-origin from http://example.org." In other words, Bob's browser can download a JavaScript program from Alice's server. The JavaScript served from Alice's computer but running in Bob's browser can now download more data from Eve's server if Eve allows it.

I finally see how this works, but there are some major flaws here. There are several reasons cross-server requests have been banned in Java and JavaScript for the last 15 years: distributed denial of service attacks, behind-the-firewall scanning, and information distribution to 3rd parties. This approach ameliorates these problems, but does not eliminate them. Each of those possible attacks is less powerful and effective when this regime is in place, but is still possible. It also makes it dramatically easier for 3rd parties to write and install software to track user behavior across web sites. User privacy concerns do not appear to play any part in the design of this spec.