- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 06 Feb 2008 17:10:57 -0800
- To: "Close, Tyler J." <tyler.close@hp.com>
- CC: Anne van Kesteren <annevk@opera.com>, Web Application Formats Working Group WG <public-appformats@w3.org>
Close, Tyler J. wrote: > > Anne van Kesteren wrote: >> On Wed, 06 Feb 2008 23:05:17 +0100, Close, Tyler J. >> <tyler.close@hp.com> >> wrote: >>> What mechanism is the WG recommending for assigning >> accountability for a >>> cross-domain request? It seems some mechanism must be >> recommended, since >>> the WG has eliminated the status quo approach. >> What is recommended for this for cross-site GET and POST today? > > Today, browsers and sites cooperate to prevent cross-domain requests. This WG is proposing a mechanism for the two to agree on the exchange of cross-domain requests, but is doing so in a way that prevents use of the status quo mechanism for assigning accountability, as currently used for non-cross-domain requests. You can today perform cross-site POST requests using normal HTML <form>s. This works much the same way. Another way to look at it is; if you host web pages on your web server, who do you hold accountable today? The person creating the webpage, or the person whose cookies or auth credentials you receive. / Jonas
Received on Thursday, 7 February 2008 01:13:00 UTC