- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Sat, 15 Mar 2008 22:40:08 +0200
- To: Eric Lawrence <ericlaw@exchange.microsoft.com>
- Cc: "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Sunava Dutta <sunavad@windows.microsoft.com>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>
On Mar 15, 2008, at 01:59, Eric Lawrence wrote: > XDR is intended for "public" data. We explicitly suggest that > Intranet servers do not expose private data through this mechanism. > In order to ensure that no existing servers/services (in any zone) > are put at risk, XDR does not send credentials of any sort, and > requires that the server acknowledge the cross-domain nature of the > request via the response header. In practice, though, cross-site requests for user-specific data are so interesting that people will do it anyway. The user will have to trust the third-party site with credentials or a token which will be encoded in the URI or in the POST payload. The inability to pass credentials/ token in the HTTP headers will not stop communicating that data--it'll only be communicated in an inconvenient way. -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Saturday, 15 March 2008 20:40:58 UTC