W3C home > Mailing lists > Public > public-webapi@w3.org > March 2008

Re: IE Team's Proposal for Cross Site Requests

From: Henri Sivonen <hsivonen@iki.fi>
Date: Sat, 15 Mar 2008 22:40:08 +0200
Cc: "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Sunava Dutta <sunavad@windows.microsoft.com>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>
Message-Id: <4A916404-ADD0-44B5-A6E8-240E36D18DF2@iki.fi>
To: Eric Lawrence <ericlaw@exchange.microsoft.com>

On Mar 15, 2008, at 01:59, Eric Lawrence wrote:

> XDR is intended for "public" data.  We explicitly suggest that  
> Intranet servers do not expose private data through this mechanism.   
> In order to ensure that no existing servers/services (in any zone)  
> are put at risk, XDR does not send credentials of any sort, and  
> requires that the server acknowledge the cross-domain nature of the  
> request via the response header.


In practice, though, cross-site requests for user-specific data are so  
interesting that people will do it anyway. The user will have to trust  
the third-party site with credentials or a token which will be encoded  
in the URI or in the POST payload. The inability to pass credentials/ 
token in the HTTP headers will not stop communicating that data--it'll  
only be communicated in an inconvenient way.

-- 
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/
Received on Saturday, 15 March 2008 20:40:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 15 March 2008 20:40:59 GMT