- From: Sean Hogan <shogun70@westnet.com.au>
- Date: Tue, 10 Feb 2009 23:00:35 +1100
- To: Anne van Kesteren <annevk@opera.com>
- CC: WebApps WG <public-webapps@w3.org>, Maciej Stachowiak <mjs@apple.com>
I don't think the presented XBL use case is valid: "An XBL binding allows full access to the document it is bound to and therefore cross-origin XBL usage is prohibited. The resource sharing policy enables cross-origin XBL bindings. If the user is authenticated with the server that hosts the XBL widget it is possible to have a user-specific cross-origin bindings." I'm not sure whether "an XBL binding allows full access to the document it is bound to" is talking about accessing the DOM of the bound-document or the binding-document, but I don't think either case requires access-control. I don't see where the XBL spec says that the bound-document must have access to the binding-document, so I don't understand why cross-origin restrictions would apply. And I don't understand why we should prohibit the XBL binding having access to the bound-document. That's the whole point of XBL, and we already have the same situation with <script src>. If you don't trust the XBL bindings then don't reference them, just like with scripts. Anne van Kesteren wrote: > > I took a stab at ACTION-11 which is currently assigned to Maciej: > > http://www.w3.org/2008/webapps/track/actions/11 > http://dev.w3.org/2006/waf/access-control/#use-cases > > If this is good enough I suggest we close the action. > >
Received on Tuesday, 10 February 2009 12:02:28 UTC