Can someone, anyone, give a good example why denying access to form element properties across sites is a good idea. From where I stand right now there is no good reason for Mozilla to be denying access to form elements across sites. All I see are alot of poor examples where what's passed should be validated. You know validating data? That's just part of it though because using Ajax doesn't change anything at all. See; all it does add an Ajax request/function that exposed or not is still exploitable by an attacker. Then there is Cross-Site XMLHttpRequest, all this does is make a lot more work for people who need to update the elements or dom objects and doesn't solve anything really. "This level of control gives content creators greater amounts of flexibility when it comes to allowing their users to build mashups and applications using their information." What? No it doesn't, it just adds a layer of perceived control and security, which really isn't there. Now, i'm not saying this is totally useless because defining who gets what is useful. Except at the end of the day you don't really control who gets what if it's on the web, unless you are taking the blood of your users and matching dna. The core of the problem still seems to be validation. So why all the goddamn gimmicks?
Christopher Warner is part genius, part idiot. This makes him well balanced. He's worked on numerous opensource projects with great people and has generally led an eventful and fulfilling life. He hopes to retire an old man in a rocking chair should he be so fortunate.
Cross-Site Dom Form Element Modification
Can someone, anyone, give a good example why denying access to form element properties across sites is a good idea. From where I stand right now there is no good reason for Mozilla to be denying access to form elements across sites. All I see are alot of poor examples where what's passed should be validated. You know validating data? That's just part of it though because using Ajax doesn't change anything at all. See; all it does add an Ajax request/function that exposed or not is still exploitable by an attacker. Then there is Cross-Site XMLHttpRequest, all this does is make a lot more work for people who need to update the elements or dom objects and doesn't solve anything really. "This level of control gives content creators greater amounts of flexibility when it comes to allowing their users to build mashups and applications using their information." What? No it doesn't, it just adds a layer of perceived control and security, which really isn't there. Now, i'm not saying this is totally useless because defining who gets what is useful. Except at the end of the day you don't really control who gets what if it's on the web, unless you are taking the blood of your users and matching dna. The core of the problem still seems to be validation. So why all the goddamn gimmicks?
Related Posts:
About Christopher Warner
Christopher Warner is part genius, part idiot. This makes him well balanced. He's worked on numerous opensource projects with great people and has generally led an eventful and fulfilling life. He hopes to retire an old man in a rocking chair should he be so fortunate.