- From: Tyler Close <tyler.close@gmail.com>
- Date: Fri, 20 Nov 2009 17:04:16 -0800
- To: public-webapps <public-webapps@w3.org>
- Message-ID: <5691356f0911201704s6e6d3c8aod3d4f98835f5a6c1@mail.gmail.com>
MarkM and I have produced a draft specification for the GuestXHR functionality we've been advocating. The W3C style specification document is attached. We look forward to any feedback on it. We agree with others that "GuestXHR" was not a good name and so have named the proposal "Uniform Messaging" for reasons elaborated in the specification. To parallel the CORS separation of policy from API, this first document is the policy specification with an XMLHttpRequest-like API yet to follow. Abstract: """ This document defines a mechanism to enable requests that are independent of the client's context. Using this mechanism, a client can engage in cross-site messaging without the danger of Cross-Site-Request-Forgery and similar attacks that abuse the cookies and other HTTP headers that form a client's context. For example, code from customer.example.org can use this mechanism to send requests to resources determined by service.example.com without further need to protect the client's context. """ Thanks, --Tyler
Attachments
- text/html attachment: draft.html
Received on Saturday, 21 November 2009 01:04:58 UTC