<%@ include file="prefix.html" %>

X-RequestOrigin

The Problem

XWT apps are mobile, untrusted code. When run on a client behind a firewall, they appear (from the firewall's perspective) to be as trustworthy as the human operating the machine -- an incorrect assumption. Most other applications deal with this problem by restricting the mobile code so that it can only contact the host it came from. Unfortunately this is not possible when the client relies on its HTTP proxy for name resolution.

The Old Solution

XWT used to solve this problem by using a "trusted resolver" running on xmlrpc.xwt.org to simulate a DNS server. This is a problem, however, for users on private networks who do not have access to the Internet; it also introduces a single point of failure.

The New Solution

As part of a joint effort with the Macromedia Corporation, the XWT Foundation has drafted a standard for indicating to a proxy that the request is being made on the behalf of untrusted mobile code; the proxy can then make an appropriate security decision to permit or deny the request.

Relevant Materials

<%@ include file="suffix.html" %>