- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 30 May 2008 14:48:31 -0700
- To: Adam Barth <public-webapi@adambarth.com>
- CC: Anne van Kesteren <annevk@opera.com>, Collin Jackson <collinj@cs.stanford.edu>, "Web API WG (public)" <public-webapi@w3.org>
Adam Barth wrote: > On Fri, May 30, 2008 at 2:02 PM, Jonas Sicking <jonas@sicking.cc> wrote: >> With Access-Control-Origin it is easy to block all cross-site requests where >> the requesting site can read the resulting data. > > If you think this is an important use case, why not add a specific > header that says "this is a cross-site XMLHttpRequest" instead of > overloading the Access-Control-Origin header? What I think is needed is a "this is a cross-site Access-Control request". Which I think is pretty close to what Access-Control-Origin was. / Jonas
Received on Friday, 30 May 2008 21:51:21 UTC