- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 22 Mar 2012 11:26:39 +0100
- To: Anne van Kesteren <annevk@opera.com>
- CC: public-html@w3.org, Edward O'Connor <eoconnor@apple.com>
On 2012-03-22 10:37, Anne van Kesteren wrote: > On Thu, 22 Mar 2012 10:19:53 +0100, Julian Reschke > <julian.reschke@gmx.de> wrote: >> On 2012-03-22 10:11, Anne van Kesteren wrote: >>> On Wed, 21 Mar 2012 23:47:00 +0100, Edward O'Connor <eoconnor@apple.com> >>> wrote: >>>> Please consider this zero edit Change Proposal for ISSUE-195: >>>> >>>> http://www.w3.org/html/wg/wiki/User:Eoconnor/ISSUE-195 >>> >>> Strong support. The other proposal is completely insecure. >> >> If there's something insecure about it, you probably should point out >> what it is. > > Allowing cross-origin methods not previously allowed, allowing > manipulation of headers cross-origin. Your basic insecure stuff that > should have been known if the people making that change proposal had > actually compared it to XMLHttpRequest. At some point a previous proposal stated that for methods other than GET/HEAD/POST, the same requirements as for XHR should apply.
Received on Thursday, 22 March 2012 10:27:14 UTC