- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 7 Apr 2009 17:29:14 -0700
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps@w3.org
On Tue, Apr 7, 2009 at 4:16 PM, Tyler Close <tyler.close@gmail.com> wrote: > On Tue, Apr 7, 2009 at 3:57 PM, Jonas Sicking <jonas@sicking.cc> wrote: >> My point is that having two APIs that are identical and intended to be >> used for basically the same thing, except for that they use different >> security models, is a security bug waiting to happen. > > So you do of course realize that this is exactly what the WG is > currently proposing, right? Browser version X will have an XHR with > one security model and browser version X+1 will have an identical XHR > API with a different security model. But it's for a limited time. In a few years hopefully all browsers supports cross site XHR. And if you can already today follow the advice that you should not rely on XHR not honoring your request just because it's a cross site URI. You are proposing a model where there's two types of XHR objects. One where we specifically tell users that you can rely on the request won't be sent cross site, and one where you can't. / Jonas
Received on Wednesday, 8 April 2009 00:30:04 UTC