Re: [cors] ACTION-11 API use cases

I don't think the presented XBL use case is valid:

"An XBL binding allows full access to the document it is bound to and 
therefore cross-origin XBL usage is prohibited. The resource sharing 
policy enables cross-origin XBL bindings. If the user is authenticated 
with the server that hosts the XBL widget it is possible to have a 
user-specific cross-origin  bindings."

I'm not sure whether "an XBL binding allows full access to the document 
it is bound to" is talking about accessing the DOM of the bound-document 
or the binding-document, but I don't think either case requires 

I don't see where the XBL spec says that the bound-document must have 
access to the binding-document, so I don't understand why cross-origin 
restrictions would apply.

And I don't understand why we should prohibit the XBL binding having 
access to the bound-document. That's the whole point of XBL, and we 
already have the same situation with <script src>. If you don't trust 
the XBL bindings then don't reference them, just like with scripts.

Anne van Kesteren wrote:
> I took a stab at ACTION-11 which is currently assigned to Maciej:
> If this is good enough I suggest we close the action.

Received on Tuesday, 10 February 2009 12:02:28 UTC