W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 17 Jun 2009 23:32:31 +0000 (UTC)
To: "Mark S. Miller" <erights@google.com>
Cc: Anne van Kesteren <annevk@opera.com>, Tyler Close <tyler.close@gmail.com>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0906172329160.16244@hixie.dreamhostps.com>
On Wed, 17 Jun 2009, Mark S. Miller wrote:
> > > >>
> > > >> If it does transmit any of these currently, are there any 
> > > >> objections to revising the spec so that it doesn't?
> >
> > Why?
> 
> So that the containing page can use such a credential removing service 
> to allow sanitized content within the page to make requests -- either to 
> its own or to other origins -- while preventing this content from 
> "speaking for" the containing page or the user.

The contained page already can't speak on behalf of the containing page -- 
that's what removing the Origin (and setting Origin to 'null') prevents.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 17 June 2009 23:33:05 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT