- From: Jim Ley <jim@jibbering.com>
- Date: Tue, 18 Apr 2006 22:50:17 +0100
- To: <public-webapi@w3.org>
"Ian Hickson" <ian@hixie.ch> > On Tue, 18 Apr 2006, Ian Davis wrote: >> >> Those are interesting ideas but my proposal is specifically to limit the >> scope of which 3rd party hosts can be accessed by the XHR object. Why is >> that out of scope? > > Well, it seems you'd want all the restrictions in one place, rather than > have restriction policies for each feature specced out separately. Also, > it would be very strange to restrict XHR while not restricting the dozens > of other ways of doing cross-site communication -- if what you're trying > to do is leak information, you don't care whether you're using cross-site > XMLHttpRequest or an older system (indeed, the older the better, as it'll > work with more browsers). The other leaking methods are not part of a standard - there's no standard that says a UA must allow cross domain form posts (indeed the majority offer such a warning and the ability to deny it), there's no standard that says a UA must allow cross domain image access, again most UAs offer a mechanism to block these. Standardising something which would require it to be allowed is a different matter than simply pointing out that current behaviour in UAs is such that it's possible. Jim.
Received on Tuesday, 18 April 2006 21:51:53 UTC