Re: Origin from Adam Barth on 2008-05-30 (public-webapi@w3.org from May 2008)

From: Adam Barth <public-webapi@adambarth.com>
Date: Fri, 30 May 2008 14:09:23 -0700
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "Anne van Kesteren" <annevk@opera.com>, "Collin Jackson" <collinj@cs.stanford.edu>, "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <7789133a0805301409s3fddd204m9e02f1a0142bbb1a@mail.gmail.com>

On Fri, May 30, 2008 at 2:02 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> With Access-Control-Origin it is easy to block all cross-site requests where
> the requesting site can read the resulting data.

If you think this is an important use case, why not add a specific
header that says "this is a cross-site XMLHttpRequest" instead of
overloading the Access-Control-Origin header?

Adam

Received on Friday, 30 May 2008 21:09:59 UTC