- From: Jim Ley <jim@jibbering.com>
- Date: Fri, 7 Apr 2006 20:40:49 +0100
- To: <public-webapi@w3.org>
"Mark Nottingham" <mnot@yahoo-inc.com> >> Except of course you only allow them if there's some hypothetical cross >> domain XHR, something which doesn't exist, > > AIUI that's under discussion in a TF now. So the task force can decide the behaviour rather than pre-empting their conclusions with a MUST or SHOULD that is only relevant after they have decided. Given that at least one likely conclusion will be a whitelist file allowing cross domain from such sites, your use case is met without endangering user freedoms. >> and then usefully there's a way >> of taking an XHR stream and converting it to an image or video stream, >> again >> something that doesn't exist. > > You're losing me here; how do "image or video streams" come into it? Because anything included in an IFRAME or new window is already trivially able to be retrieved without a referrer header in the vast majority of UAs that support script today. The only things you cannot do is add an image with img (you can with iframe) or css background or content in an embed element, so the only relevant protection you're introducing is in these formats, not simple HTML or text documents. >> The most prominent being the same Accessibility Testing assistant >> mentioned >> elsewhere. > > ref? http://www.w3.org/mid/065b01c658e9$eb1ba6c0$817ba8c0@Snufkin Cheers, Jim.
Received on Friday, 7 April 2006 19:42:09 UTC