- From: Albert Lunde <atlunde@panix.com>
- Date: Thu, 3 Dec 2009 10:01:06 -0500
- To: public-web-security@w3.org
> After analyzing this particular situation, I am not sure it makes sense
> to apply the same-origin policy as-is to low-level HTTP clients as
> opposed to browser-like clients. There may be some variant of the
> same-origin policy that some subset of low-level network clients should
> consider.
For every API that chooses to enforce a same-origin policy there
will be a lower-level set of transport functions able to
ignore it. It's futile to try to claim that everything should
enforce a same-origin policy.
Instead try to document what APIs that enforce a same-origin
policy should do, and lay out the contexts where this is desirable.
(There are a few too many Turning-complete scripting engines
running in the typical web browser, and placing some
deliberate restrictions on them at _some_ level _is_
a good idea...)
--
Albert Lunde albert-lunde@northwestern.edu
atlunde@panix.com (new address for personal mail)
Received on Thursday, 3 December 2009 15:01:34 UTC