- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 19 Jun 2008 13:03:57 +0200
- To: timeless@gmail.com
- CC: "public-webapps@w3.org" <public-webapps@w3.org>
timeless wrote: > On Thu, Jun 19, 2008 at 1:09 PM, Julian Reschke <julian.reschke@gmx.de> wrote: >> Can you provide an example where providing *XML* parse error information >> within *XHR* would be problematic? > > i really shouldn't have to. imagine a document that is not CSS and is not XML. > > now imagine an api that lets you try to load it as css. imagine that > this api exposes a dom object that describes *any* information from > that document in the case that it fails to parse as css. > > basically it meant that you can interrogate pages that you weren't > supposed to be able to look at to get information you weren't supposed > to have. > > now replace 'css' with 'xml'. The logic still applies. > > And yes, I understand you'll wave hands about "this is a trusted > application". I don't care. If it's a trusted application, then I > trust it not to make mistakes and to have ways to verify the > information server side before it's ever sent on any wires. But you already can read the unparsed content using responseText, no? Where's the leakage then? BR, Julian
Received on Thursday, 19 June 2008 11:04:42 UTC