W3C home > Mailing lists > Public > www-tag@w3.org > May 2010

Re: Impending web-arch issue?

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 11 May 2010 15:57:31 +0200
To: nathan@webr3.org, "Mark S. Miller" <erights@google.com>
Cc: "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <op.vcjnp5jt64w2qv@annevk-t60>
On Tue, 11 May 2010 15:47:41 +0200, Mark S. Miller <erights@google.com>  
wrote:
> Given an apache compatible web server, you could add
>
>     <FilesMatch "\.js$">
>       Header set Access-Control-Allow-Origin "*"
>     </FilesMatch>
>
> in a root .htaccess file. Adding this header is a good idea for all
> resources that parse as JavaScript anyway, as should be the case for all
> *.js files and for all JSONP services, since these resources are already  
> not
> protected by the Same Origin Policy. For these resources, adding this  
> header *cannot* result in any loss of security.

Actually, that is incorrect. Being able to read the contents of a  
JavaScript is quite different from being able to execute a JavaScript  
file. E.g. there could be confidential comments in the file or some such.

(I'm not saying that any of this is a good idea, just that it is not at  
all the same.)


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Tuesday, 11 May 2010 13:58:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:20 GMT