- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Fri, 8 Feb 2008 10:38:08 +0200
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
On Feb 7, 2008, at 19:15, Close, Tyler J. wrote: > Is the user or the Referer-Root site accountable for a cross-domain > non-GET request? Does the proposed protocol make it possible for the > site hosting the resource to correctly determine the answer to that > question? XHR is driven by scripts written in a Turing-complete imperative programming language. Making the browser analyze the relationship of user action and XHR action is not a solvable problem in the general case. So instead of trying to analyze what the script does, we are left with the belief of trust that the script acts properly on the user's behalf. If recipient of the cross-site request chooses to trust an untrustworthy site, all bets are off when it comes to placing the blame on the user vs. a rogue script. -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Friday, 8 February 2008 08:38:36 UTC