- From: L. David Baron <dbaron@dbaron.org>
- Date: Wed, 6 Feb 2008 14:31:06 -0800
- To: public-appformats@w3.org
On Wednesday 2008-02-06 22:05 +0000, Close, Tyler J. wrote: > One of the primary purposes of access control is correctly > assigning accountability for actions. I think the current AC4CSR > proposal creates subtle and perhaps unexpected consequences for an > application's ability to correctly assign accountability. To me, the most important use case for being able to do cross-site XMLHttpRequest is the ability to get to *public* resources. For example, being able to do things like the Flickr API on the client, without having to trust the API enough to let it inject script into your page. This is already possible with things like the basic (map display) part of the Google Maps API only because there aren't cross-site restrictions on image loading (although the Google Maps API doesn't actually work that way, presumably because it gives Google more flexibility to change the servers). I think it's extremely important that we ship something that allows this (i.e., sites to relax the default cross-domain restrictions for some resources) in Firefox 3. In what cases is accountability for actions needed for such fully-public resources? -David -- L. David Baron http://dbaron.org/ Mozilla Corporation http://www.mozilla.com/
Received on Wednesday, 6 February 2008 22:31:21 UTC