Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

On Dec 16, 2009, at 11:30 PM, Devdatta wrote:

> hmm.. just a XDR GET on the file at hixie.ch which allows access only
> if the request is from damowmow.com ?
>
> I am not sure -- is there anything special about XBL bindings which
> would result in this not working ?

If I recall correctly, XDR sends an Origin header, so it would work  
for this kind of use case so long as the resource is not per-user. XDR  
essentially uses a profile of CORS with the credentials flag always  
off. UM is different - it would not send an Origin header. So it would  
be more difficult to apply it to Hixie's problem.

Regards,
Maciej



> Cheers
> devdatta
>
> 2009/12/16 Ian Hickson <ian@hixie.ch>:
>> On Wed, 16 Dec 2009, Devdatta wrote:
>>>>
>>>> Another example would be an XBL binding file on hixie.ch that is
>>>> accessible only to pages on damowmow.com. With CORS I can do this  
>>>> with one
>>>> line in my .htaccess file. I don't see how to do it at all with UM.
>>>
>>> Seems to me that these examples can just as easily be done with IE's
>>> XDomainRequest.
>>
>> How?
>>
>> --
>> Ian Hickson               U+1047E                ) 
>> \._.,--....,'``.    fL
>> http://ln.hixie.ch/       U+263A                /,   _.. \   _ 
>> \  ;`._ ,.
>> Things that are impossible just take longer.   `._.-(,_..'-- 
>> (,_..'`-.;.'
>>
>

Received on Thursday, 17 December 2009 07:37:12 UTC