W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] security issue with XMLHttpRequest API compatibility

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 14 Apr 2009 12:33:39 +0200
To: Jonas Sicking <jonas@sicking.cc>
Message-Id: <4DDFD05E-B17A-4CC1-B8FF-ADEED207BBA2@w3.org>
Cc: Tyler Close <tyler.close@gmail.com>, <public-webapps@w3.org>
So, to pick up on this discussion again -- I don't think we've had a  
useful conclusion whether or not the client-side JavaScript code ought  
to explicitly enable cross-site requests (as Tyler suggests, and as IE  
implements in XDR) or not.

All things considered, any thoughts?
Thomas Roessler, W3C  <tlr@w3.org>

On 8 Apr 2009, at 20:07, Jonas Sicking wrote:

> On Wed, Apr 8, 2009 at 2:23 AM, Thomas Roessler <tlr@w3.org> wrote:
>> Incidentally, just framing this as "XHR vs XDR" is a bit  
>> simplistic:  E.g.,
>> one could imagine a method "enableCrossSiteRequests" (or something  
>> like
>> that) which needs to be invoked before XHR can do cross site  
>> requests.
> Oh, indeed. I didn't mean to frame it as an "XHR vs XDR" thing.
> There's certainly other ways of doing it. Tyler also proposed adding
> an argument to the XHR constructor.
> / Jonas
Received on Tuesday, 14 April 2009 10:33:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:53 UTC