[cors] Possible need for a "Destination" Header

Unless I am missing something, there seems to be a security hole with
the current proposal. If a site has been hacked then malicous code can
send content to any site that abides by the access control policies.  It
is up to the destination site to accept the request, and in the case of
a nefarious destination, would most certainly do so. Wouldn't it also
make sense to have some policy control from the origination site that
would limit where requests could be made. This could be done in the form
of a "Desitnation" Header that would give more control over where
XmlHttp requests could be directed. 



Mike Chack 
O: +1 408.526.4639 
M: +1 408.504.6594 


Received on Tuesday, 17 February 2009 11:18:05 UTC