Re: IE Team's Proposal for Cross Site Requests

On Mar 15, 2008, at 01:59, Eric Lawrence wrote:

> XDR is intended for "public" data.  We explicitly suggest that  
> Intranet servers do not expose private data through this mechanism.   
> In order to ensure that no existing servers/services (in any zone)  
> are put at risk, XDR does not send credentials of any sort, and  
> requires that the server acknowledge the cross-domain nature of the  
> request via the response header.


In practice, though, cross-site requests for user-specific data are so  
interesting that people will do it anyway. The user will have to trust  
the third-party site with credentials or a token which will be encoded  
in the URI or in the POST payload. The inability to pass credentials/ 
token in the HTTP headers will not stop communicating that data--it'll  
only be communicated in an inconvenient way.

-- 
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/

Received on Saturday, 15 March 2008 20:40:58 UTC