- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 10 Feb 2009 13:06:10 +0100
- To: "Sean Hogan" <shogun70@westnet.com.au>
- Cc: "WebApps WG" <public-webapps@w3.org>, "Maciej Stachowiak" <mjs@apple.com>
On Tue, 10 Feb 2009 13:00:35 +0100, Sean Hogan <shogun70@westnet.com.au> wrote: > I don't think the presented XBL use case is valid: > > "An XBL binding allows full access to the document it is bound to and > therefore cross-origin XBL usage is prohibited. The resource sharing > policy enables cross-origin XBL bindings. If the user is authenticated > with the server that hosts the XBL widget it is possible to have a > user-specific cross-origin bindings." > > I'm not sure whether "an XBL binding allows full access to the document > it is bound to" is talking about accessing the DOM of the bound-document > or the binding-document, but I don't think either case requires > access-control. > > I don't see where the XBL spec says that the bound-document must have > access to the binding-document, so I don't understand why cross-origin > restrictions would apply. > > And I don't understand why we should prohibit the XBL binding having > access to the bound-document. That's the whole point of XBL, and we > already have the same situation with <script src>. If you don't trust > the XBL bindings then don't reference them, just like with scripts. That example is based on http://www.w3.org/TR/2007/CR-xbl-20070316/#security and maybe some discussion with Ian regarding this. It's been a while. Does that help? -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Tuesday, 10 February 2009 12:06:56 UTC