- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 4 May 2010 15:00:48 -0700
- To: "Mark S. Miller" <erights@google.com>
- Cc: Scott Wilson <scott.bradley.wilson@gmail.com>, public-webapps WG <public-webapps@w3.org>
On Tue, May 4, 2010 at 2:56 PM, Mark S. Miller <erights@google.com> wrote: > On Tue, May 4, 2010 at 2:45 PM, Jonas Sicking <jonas@sicking.cc> wrote: >> >> > If these were limited to Uniform Messages, how much of a need would >> > there >> > still be to disallow them? What would the remaining threats be? >> >> Would it allow reading resources behind corporate firewalls using a >> browser running on a computer behind said firewall? >> > > Only if the resource responds with an "Access-Control-Allow-Origin: *" > header. Ah, I see what you mean. Yes, it seems to me like as long as the normal "web cross origin policies" are applied (including things like UMP, CORS, <img>, <iframe>) then it should be fine I would think. Though I'm not a widget person so please don't rely on my answer. / Jonas
Received on Tuesday, 4 May 2010 22:01:40 UTC