W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 17 Jun 2009 23:46:58 +0000 (UTC)
To: "Mark S. Miller" <erights@google.com>
Cc: Anne van Kesteren <annevk@opera.com>, Tyler Close <tyler.close@gmail.com>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0906172346060.16244@hixie.dreamhostps.com>
On Wed, 17 Jun 2009, Mark S. Miller wrote:
> On Wed, Jun 17, 2009 at 4:32 PM, Ian Hickson <ian@hixie.ch> wrote:
> > On Wed, 17 Jun 2009, Mark S. Miller wrote:
> > > > > >>
> > > > > >> If it does transmit any of these currently, are there any 
> > > > > >> objections to revising the spec so that it doesn't?
> > > >
> > > > Why?
> > >
> > > So that the containing page can use such a credential removing 
> > > service to allow sanitized content within the page to make requests 
> > > -- either to its own or to other origins -- while preventing this 
> > > content from "speaking for" the containing page or the user.
> >
> > The contained page already can't speak on behalf of the containing 
> > page -- that's what removing the Origin (and setting Origin to 'null') 
> > prevents.
> 
> "or the user."

But... we want the page talking on behalf of the user. That's the point 
of a browser. I don't really understand what we're trying to prevent here.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 17 June 2009 23:47:31 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT