On 19 May 2010 12:07, Aaron Boodman <
a...@google.com> wrote:
> Hey Blaine,
>
> I've read your blog post about this when it was first posted. Allowing
> cross-origin requests is not a possibility because it would be a huge
> security issue. For example, it would allow web sites on the internet
> to crawl a user's intranet.
I'm sad to hear this. I understand the security implications, but
disagree on your tactic here. I can publish a native app that is
downloadable and immediately executable with absolutely no security
warnings whatsoever.
Intranet administrators avoid this security issue by issuing policies
that users aren't allowed to download arbitrary apps and install them.
By offloading just this one point of control to the web, we're
seriously restricting the utility of HTML5 Apps. For example, a
Twitter client like Tweetie would be impossible to build without JSONP
or CORS support from every single service involved in building that
app; the cost to rapid development is immense, and I hope Google
reconsiders this.
> If you need cross-origin requests, you can implement your app as a
> Chrome extension. Extensions are higher privilege, and have more
> strenuous security warnings. We want to keep web apps nice and safe so
> that the install can be very lightweight.
I have to push back here a little – a web app that I have essentially
no relationship with will be able to:
- know my exact physical location
- consume all the storage on my device, potentially performing a DoS attack
- read local files from my hard drive (via the FileAPI)
- [eventually] use my microphone and my video camera
But it's too much to ask it to be able to make web requests?
The privacy and security implications of web-based apps funnelling all
of a user's activities through a single domain are far scarier than
arbitrary web requests. The latter is well understood in the context
of the desktop OS. Every single application you download has these
permissions. We're only just beginning to struggle with the
implications of the former, and the backlash against Facebook is only
the beginning.
Another way of putting it is that I trust applications that I've
installed and for which I can view the source code to verify that
they're not doing creepy "phone-home" things with my data more than I
do a web app that hides from me what its actual actions are in a sea
of "proxying".
Since I'm ranting, I may as well mention that the same-origin policy
isn't actually specified anywhere; it's just one of many approaches to
security. Intranet administrators have many other issues to deal with
as I mentioned above, and the same-origin policy doesn't really make
things any easier for people trying to prevent XSS attacks, since as a
site developer you still need to validate each and every request. It's
a useful tool, but it's just a tool, and blind devotion to it is
holding back what can be done with HTML5 Apps.
b.