- From: Tyler Close <tyler.close@gmail.com>
- Date: Mon, 23 Nov 2009 09:33:51 -0800
- To: public-webapps <public-webapps@w3.org>
- Message-ID: <5691356f0911230933u41eed6c5m942bfb95dd06f884@mail.gmail.com>
I made some minor edits and formatting improvements to the document sent out on Friday. The new version is attached. If you read the prior version, there's no need to review the new one. If you're just getting started, use the attached copy. Thanks, --Tyler On Fri, Nov 20, 2009 at 5:04 PM, Tyler Close <tyler.close@gmail.com> wrote: > MarkM and I have produced a draft specification for the GuestXHR > functionality we've been advocating. The W3C style specification > document is attached. We look forward to any feedback on it. > > We agree with others that "GuestXHR" was not a good name and so have > named the proposal "Uniform Messaging" for reasons elaborated in the > specification. > > To parallel the CORS separation of policy from API, this first > document is the policy specification with an XMLHttpRequest-like API > yet to follow. > > Abstract: > """ > This document defines a mechanism to enable requests that are > independent of the client's context. Using this mechanism, a client > can engage in cross-site messaging without the danger of > Cross-Site-Request-Forgery and similar attacks that abuse the cookies > and other HTTP headers that form a client's context. For example, code > from customer.example.org can use this mechanism to send requests to > resources determined by service.example.com without further need to > protect the client's context. > """ > > Thanks, > --Tyler > -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Attachments
- text/html attachment: draft.html
Received on Monday, 23 November 2009 17:34:25 UTC