From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <kevin@carhart.net>
Received-SPF: None (mailfrom) identity=mailfrom; client-ip=8.23.224.60;
 helo=out.smtp-auth.no-ip.com; envelope-from=kevin@carhart.net;
 receiver=<UNKNOWN> 
Received: from out.smtp-auth.no-ip.com (smtp-auth.no-ip.com [8.23.224.60])
 by hurricane.the-brannons.com (Postfix) with ESMTPS id 2B46677A9A
 for <Edbrowse-dev@lists.the-brannons.com>;
 Sun, 11 Mar 2018 22:08:22 -0700 (PDT)
X-No-IP: carhart.net@noip-smtp
X-Report-Spam-To: abuse@no-ip.com
Received: from carhart.net (unknown [99.52.200.227])
 (Authenticated sender: carhart.net@noip-smtp)
 by smtp-auth.no-ip.com (Postfix) with ESMTPA id C44311D2
 for <Edbrowse-dev@lists.the-brannons.com>;
 Sun, 11 Mar 2018 22:09:58 -0700 (PDT)
Received: from carhart.net (localhost [127.0.0.1])
 by carhart.net (8.13.8/8.13.8) with ESMTP id w2C59uHQ027173
 for <Edbrowse-dev@lists.the-brannons.com>; Sun, 11 Mar 2018 22:09:57 -0700
Received: from localhost (kevin@localhost)
 by carhart.net (8.13.8/8.13.8/Submit) with ESMTP id w2C59uRZ027170
 for <Edbrowse-dev@lists.the-brannons.com>; Sun, 11 Mar 2018 22:09:56 -0700
Date: Sun, 11 Mar 2018 22:09:55 -0700 (PDT)
From: Kevin Carhart <kevin@carhart.net>
To: Edbrowse-dev@lists.the-brannons.com
Message-ID: <alpine.LRH.2.03.1803112157580.21857@carhart.net>
User-Agent: Alpine 2.03 (LRH 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Subject: [Edbrowse-dev] XHR same-domain restriction
X-BeenThere: edbrowse-dev@lists.the-brannons.com
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Edbrowse Development List <edbrowse-dev.lists.the-brannons.com>
List-Unsubscribe: <http://lists.the-brannons.com/mailman/options/edbrowse-dev>, 
 <mailto:edbrowse-dev-request@lists.the-brannons.com?subject=unsubscribe>
List-Archive: <http://lists.the-brannons.com/mailman/private/edbrowse-dev/>
List-Post: <mailto:edbrowse-dev@lists.the-brannons.com>
List-Help: <mailto:edbrowse-dev-request@lists.the-brannons.com?subject=help>
List-Subscribe: <http://lists.the-brannons.com/mailman/listinfo/edbrowse-dev>, 
 <mailto:edbrowse-dev-request@lists.the-brannons.com?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2018 05:08:23 -0000



Speaking of securing the filesystem and following up on Dominique's 
message from a few days ago, do we want to implement the restriction that 
XHR is only allowed to load pages from the domain that you are currently on? 
If so, is this a workable phrasing to make the test?  Assuming an xhr 
object which I am referencing as 'this', this.url is a string.  So I turn 
it into our URL class in order to easily grab and test the host.

if (new URL(this.url).host == window.location.host)
{
allow fetchHTTP to run
} else {
prevent fetchHTTP from running
set this.aborted = true
throw a new error with a message
}

Here's a startwindow that makes this change if we want to do this.
http://carhart.net/~kevin/startwindow_20180311.zip

Tested on the dummy page http://carhart.net/~kevin/badxhr.html

Without the change, xhr.responseText gets the contents of http://pizza.com
With the change, it refuses to load http://pizza.com from carhart.net