- From: Mike Chack (mchack) <mchack@cisco.com>
- Date: Mon, 16 Feb 2009 09:14:10 -0800
- To: <public-webapps@w3.org>
Received on Tuesday, 17 February 2009 11:18:05 UTC
Unless I am missing something, there seems to be a security hole with the current proposal. If a site has been hacked then malicous code can send content to any site that abides by the access control policies. It is up to the destination site to accept the request, and in the case of a nefarious destination, would most certainly do so. Wouldn't it also make sense to have some policy control from the origination site that would limit where requests could be made. This could be done in the form of a "Desitnation" Header that would give more control over where XmlHttp requests could be directed. Mike Chack O: +1 408.526.4639 M: +1 408.504.6594 mchack@cisco.com
Received on Tuesday, 17 February 2009 11:18:05 UTC