W3C home > Mailing lists > Public > public-html@w3.org > January 2009

Re: Origin header in loading external scripts (ISSUE-63)

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 26 Jan 2009 19:21:24 +0100
To: "Adam Barth" <w3c@adambarth.com>, "Thomas Broyer" <t.broyer@gmail.com>
Cc: public-html <public-html@w3.org>
Message-ID: <op.uodmlyq964w2qv@annevk-t60.oslo.opera.com>

On Mon, 26 Jan 2009 19:01:34 +0100, Adam Barth <w3c@adambarth.com> wrote:
> Wouldn't it be better for the <script> tag to understand CORS?  This
> is a confidentiality issue, which is what CORS is aimed at.

In the end the proper solution here is to not use <script> as API but use  
CORS in combination with XMLHttpRequest. For both parties it seems, to not  
expose data you do not want to (API developer side) and to not allow  
random scripts to execute in the context of your page (API user side).

We cannot change the loading model of <script> itself at this point, but  
we can introduce better alternatives (and will) going forward.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Monday, 26 January 2009 18:22:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:00 UTC