- From: Maciej Stachowiak <mjs@apple.com>
- Date: Wed, 16 Dec 2009 23:36:38 -0800
- To: Devdatta <dev.akhawe@gmail.com>
- Cc: Ian Hickson <ian@hixie.ch>, Kenton Varda <kenton@google.com>, public-webapps <public-webapps@w3.org>
On Dec 16, 2009, at 11:30 PM, Devdatta wrote: > hmm.. just a XDR GET on the file at hixie.ch which allows access only > if the request is from damowmow.com ? > > I am not sure -- is there anything special about XBL bindings which > would result in this not working ? If I recall correctly, XDR sends an Origin header, so it would work for this kind of use case so long as the resource is not per-user. XDR essentially uses a profile of CORS with the credentials flag always off. UM is different - it would not send an Origin header. So it would be more difficult to apply it to Hixie's problem. Regards, Maciej > Cheers > devdatta > > 2009/12/16 Ian Hickson <ian@hixie.ch>: >> On Wed, 16 Dec 2009, Devdatta wrote: >>>> >>>> Another example would be an XBL binding file on hixie.ch that is >>>> accessible only to pages on damowmow.com. With CORS I can do this >>>> with one >>>> line in my .htaccess file. I don't see how to do it at all with UM. >>> >>> Seems to me that these examples can just as easily be done with IE's >>> XDomainRequest. >> >> How? >> >> -- >> Ian Hickson U+1047E ) >> \._.,--....,'``. fL >> http://ln.hixie.ch/ U+263A /, _.. \ _ >> \ ;`._ ,. >> Things that are impossible just take longer. `._.-(,_..'-- >> (,_..'`-.;.' >> >
Received on Thursday, 17 December 2009 07:37:12 UTC