Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Relaxing XHR vs TCP/UDP socket access

50 views
Skip to first unread message

Chris Jones

unread,
May 21, 2012, 8:17:42 PM5/21/12
to Paul Theriault, Mozilla B2G mailing list
----- Original Message -----
> From: "Paul Theriault" <pther...@mozilla.com>
> To: "Mozilla B2G mailing list" <dev...@lists.mozilla.org>
> Sent: Sunday, May 20, 2012 7:08:42 PM
> Subject: [b2g] Relaxing XHR vs TCP/UDP socket access
>
> To me, there seemed to be two separate use case:
> 1. Access to retrieve http(s) accessible resource over the internet
> (RSS
> feed, media data etc)

Small clarification: to resources on different-origin servers that don't necessarily support CORS. Otherwise we have all the API support we need, currently.

> The main risk of both (as I see it) is data on internal networks
> being
> exposed to external parties. 1 is a subset of 2, and potentially
> less
> risky, although this probably dangerous. Do you think there is value
> in
> having two separate permissions, one for relaxed XHR, and one for raw
> socket connections?
>

I believe there is. The reason that I'm strongly in favor of a specifically-relaxed XHR is that implementing an HTTP stack on top of TCPSocket that's compatible with Gecko's native HTTP stack is not really feasible. Same goes for other engines. One proposal from dveditz was making relaxed XHR even finer-grained, having the permission encompass a set of white-listed origins (e.g. "relaxed-xhr(foo.bar.com,...)"). I like that idea.

> There was talk at the B2G work week of relaxing cross-domain
> restrictions for trusted apps (which restrictions?),

Same-origin restriction on XHR.

> to achieve
> parity
> with native apps. (In which case I assume all trusted apps could
> already
> use case 1, but need additional permissions do use case 2) I haven't
> heard any more on this - can anyone comment, or is there a bug to
> track
> this feature?
>

This is the bug you linked above.

Cheers,
Chris

> Thanks,
> Paul
>
>
>
> _______________________________________________
> dev-b2g mailing list
> dev...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-b2g
>
0 new messages