W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] security issue with XMLHttpRequest API compatibility

From: Tyler Close <tyler.close@gmail.com>
Date: Tue, 7 Apr 2009 16:16:51 -0700
Message-ID: <5691356f0904071616w4337371bhae47bb376e714fd@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: public-webapps@w3.org
On Tue, Apr 7, 2009 at 3:57 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> My point is that having two APIs that are identical and intended to be
> used for basically the same thing, except for that they use different
> security models, is a security bug waiting to happen.

So you do of course realize that this is exactly what the WG is
currently proposing, right? Browser version X will have an XHR with
one security model and browser version X+1 will have an identical XHR
API with a different security model.

--Tyler
Received on Tuesday, 7 April 2009 23:17:32 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT