- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 19 Feb 2008 12:23:04 +0100
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Mark Baker <distobj@acm.org>, mike amundsen <mamund@yahoo.com>, John Panzer <jpanzer@acm.org>, Jonas Sicking <jonas@sicking.cc>, public-appformats@w3.org
On 2008-02-19 08:48:58 +0100, Anne van Kesteren wrote: > No, these are completely different cases. What you're referring > to is ok for same-origin requests and is what the same-origin > requests still allow. Non same-origin requests probably require a > different policy though. That's not obvious to me. So far, the basic model is that (a) cross-origin requests are treated roughly the same as same-origin requests, but (b) require specific authorization for precisely that reason. (See also the accountability thread.) -- Thomas Roessler, W3C <tlr@w3.org>
Received on Tuesday, 19 February 2008 11:23:17 UTC