- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 19 Jun 2008 00:38:51 +0000 (UTC)
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Web Applications Working Group WG <public-webapps@w3.org>
On Wed, 18 Jun 2008, Jonas Sicking wrote: > > Most of the feedback I got from my previous proposal was in regards to > the nested uri scheme solution, which wasn't really a critical part of > the proposal. So here is an alternative proposal which doesn't use the > nested schemes but rather a separate flag. Seems reasonable. The attack vector it is blocking is sites that provide user-specific POST-able scripts same-domain, and non-user-specific data cross-domain, and that accidentally make the former available under the Access-Control mechanism when exposing the latter, right? This has one side-effect, which is that it doesn't work well with XBL or VBWG in environments where the XBL file (or VXML file) is customised to the user but accessed cross-site. Is that ok? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 19 June 2008 00:39:30 UTC