- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 21 Dec 2009 22:39:31 +0000 (UTC)
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps <public-webapps@w3.org>
On Mon, 21 Dec 2009, Tyler Close wrote: > > No, there is a difference in access-control between the two designs. > > In the two header design: > 1) An XHR GET of the XBL file data by example.org *is* allowed. > 2) An <xbl> import of the XBL data by example.org triggers a rendering error. That's a bad design. It would make people think they had secured the file when they had not. Security should be consistent across everything. > In the one header design: > 1) An XHR GET of the XBL file data by example.org is *not* allowed. > 2) An <xbl> import of the XBL data by example.org triggers a rendering error. That's what I want. > Under the two header design, everyone has read access to the raw bits > of the XBL file. That's a bad thing. > The one header design makes an empty promise to protect read access to > the XBL file. How is it an empty promise? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 21 December 2009 22:39:59 UTC