I don't think the presented XBL use case is valid: "An XBL binding allows full access to the document it is bound to and therefore cross-origin XBL usage is prohibited. The resource sharing policy enables cross-origin XBL bindings. If the user is authenticated with the server that hosts the XBL widget it is possible to have a user-specific cross-origin bindings." I'm not sure whether "an XBL binding allows full access to the document it is bound to" is talking about accessing the DOM of the bound-document or the binding-document, but I don't think either case requires access-control. I don't see where the XBL spec says that the bound-document must have access to the binding-document, so I don't understand why cross-origin restrictions would apply. And I don't understand why we should prohibit the XBL binding having access to the bound-document. That's the whole point of XBL, and we already have the same situation with <script src>. If you don't trust the XBL bindings then don't reference them, just like with scripts. Anne van Kesteren wrote: > > I took a stab at ACTION-11 which is currently assigned to Maciej: > > http://www.w3.org/2008/webapps/track/actions/11 > http://dev.w3.org/2006/waf/access-control/#use-cases > > If this is good enough I suggest we close the action. > >Received on Tuesday, 10 February 2009 12:02:28 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:50 UTC