- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 19 Feb 2008 12:33:13 +0100
- To: "Thomas Roessler" <tlr@w3.org>
- Cc: "Mark Baker" <distobj@acm.org>, "mike amundsen" <mamund@yahoo.com>, "John Panzer" <jpanzer@acm.org>, "Jonas Sicking" <jonas@sicking.cc>, public-appformats@w3.org
On Tue, 19 Feb 2008 12:23:04 +0100, Thomas Roessler <tlr@w3.org> wrote: > On 2008-02-19 08:48:58 +0100, Anne van Kesteren wrote: >> No, these are completely different cases. What you're referring >> to is ok for same-origin requests and is what the same-origin >> requests still allow. Non same-origin requests probably require a >> different policy though. > > That's not obvious to me. So far, the basic model is that (a) > cross-origin requests are treated roughly the same as same-origin > requests, but (b) require specific authorization for precisely that > reason. (See also the accountability thread.) That only holds true for non-GET. See my other e-mail where I made a proposal on how to deal with this. (Though I haven't filled in the specifics yet.) -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Tuesday, 19 February 2008 11:29:09 UTC