- From: Marcos Caceres <marcosscaceres@gmail.com>
- Date: Wed, 22 Jun 2011 10:32:09 +0200
- To: Robin Berjon <robin.berjon@gmail.com>
- CC: public-webapps <public-webapps@w3.org>
On 6/20/11 12:57 PM, Robin Berjon wrote: > On Jun 20, 2011, at 12:23 , Marcos Caceres wrote: >> On Mon, Jun 20, 2011 at 11:41 AM, Robin >> Berjon<robin.berjon@gmail.com> wrote: > You have origin restrictions in place. If you XHR to > perfectly-legit.com and it redirects to something protected inside > your network, unless you've used CORS to open up the latter (in which > case you're begging to get hurt) then you won't get anything. The use case I was thinking about more centered around images, scripts, and iframes, which are not really subject to CORS (though I can see how they could be). Anyway, we already have origin="*", so probably doesn't matter too much at this point.
Received on Wednesday, 22 June 2011 08:32:40 UTC