- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 09 Jun 2009 21:09:51 +0200
- To: "Tyler Close" <tyler.close@gmail.com>, "Adam Barth" <w3c@adambarth.com>
- Cc: "Mark S. Miller" <erights@google.com>, public-webapps <public-webapps@w3.org>
On Tue, 09 Jun 2009 18:38:47 +0200, Tyler Close <tyler.close@gmail.com> wrote: > So requests from XMLHttpRequest have an Origin header, and requests > from GuestXMLHttpRequest don't. The server should treat requests > coming from GuestXMLHttpRequest as bits arriving from an unknown > client (ie: a "guest"), and so only authorize them based on > information explicitly included in the request. FWIW, I think we need a little more motivation for GuestXMLHttpRequest. It seems to me that a seamless sandboxed <iframe> addresses the use case brought forward and does so better (and more complete) than adding a new constructor for XMLHttpRequest. -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 9 June 2009 19:10:38 UTC