- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 17 Jun 2009 23:32:31 +0000 (UTC)
- To: "Mark S. Miller" <erights@google.com>
- Cc: Anne van Kesteren <annevk@opera.com>, Tyler Close <tyler.close@gmail.com>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Wed, 17 Jun 2009, Mark S. Miller wrote: > > > >> > > > >> If it does transmit any of these currently, are there any > > > >> objections to revising the spec so that it doesn't? > > > > Why? > > So that the containing page can use such a credential removing service > to allow sanitized content within the page to make requests -- either to > its own or to other origins -- while preventing this content from > "speaking for" the containing page or the user. The contained page already can't speak on behalf of the containing page -- that's what removing the Origin (and setting Origin to 'null') prevents. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 17 June 2009 23:33:05 UTC