W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: XMLHttpRequest Object feedback

From: Jim Ley <jim@jibbering.com>
Date: Fri, 7 Apr 2006 20:40:49 +0100
Message-ID: <004001c65a7b$2d1de910$2402a8c0@Snufkin>
To: <public-webapi@w3.org>

"Mark Nottingham" <mnot@yahoo-inc.com>
>> Except of course you only allow them if there's some hypothetical  cross
>> domain XHR, something which doesn't exist,
>
> AIUI that's under discussion in a TF now.

So the task force can decide the behaviour rather than pre-empting their 
conclusions with a MUST or SHOULD that is only relevant after they have 
decided.  Given that at least one likely conclusion will be a whitelist file 
allowing cross domain from such sites, your use case is met without 
endangering user freedoms.

>> and then usefully there's a way
>> of taking an XHR stream and converting it to an image or video  stream, 
>> again
>> something that doesn't exist.
>
> You're losing me here; how do "image or video streams" come into it?

Because anything included in an IFRAME or new window is already trivially 
able to be retrieved without a referrer header in the vast majority of UAs 
that support script today.  The only things you cannot do is add an image 
with img (you can with iframe) or css background or content in an embed 
element, so the only relevant protection you're introducing is in these 
formats, not simple HTML or text documents.

>> The most prominent being the same Accessibility Testing assistant 
>> mentioned
>> elsewhere.
>
> ref?

http://www.w3.org/mid/065b01c658e9$eb1ba6c0$817ba8c0@Snufkin

Cheers,

Jim. 
Received on Friday, 7 April 2006 19:42:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT