- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 20 Dec 2007 12:56:09 +0100
- To: "Close, Tyler J." <tyler.close@hp.com>, "public-appformats@w3.org" <public-appformats@w3.org>
On Thu, 20 Dec 2007 02:17:29 +0100, Close, Tyler J. <tyler.close@hp.com> wrote: > There is also a significant factual error in the document's Introduction: > > """ > However, it is not possible to exchange the contents of resources or > manipulate resources "cross-domain". > """ > > It *is* possible to manipulate resources "cross-domain". An HTML page > can contain a FORM which submits an HTTP request "cross-domain". > Submission of this request can be automated using Javascript. The Same > Origin Policy only prevents the HTML page from accessing the response to > the issued request. Manipulation is allowed. Only responses are > protected, not requests. Ian already replied to your earlier comment. I believe the introduction is "fixed" in the editor's draft: http://dev.w3.org/2006/waf/access-control/#introduction > Below are comments from Doug Crockford: > > [...] I believe there are more elegant and reliable approaches to > providing a safe alternatives to the script tag hack. I'd be interested in hearing about such a proposal. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Thursday, 20 December 2007 11:54:39 UTC