Hi, One of our security guys is not happy with cross-site authenticated GET requests without some sort of verification from the server beforehand that it is actually ok to do that. Even though this is already possible to do so currently using <img> and <iframe> he thinks that practice shouldn't be further supported by making it mandatory for user agents to support that. The thought being that it might be possible to improve the situation for <img>/<iframe>/etc. at some point in the future. Any thoughts? Kind regards, -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>Received on Tuesday, 23 October 2007 13:50:13 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:22 GMT