W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: [widgets] WARP default policy

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 4 May 2010 15:00:48 -0700
Message-ID: <n2p63df84f1005041500vc380d470x8dc46d40ae6fe53f@mail.gmail.com>
To: "Mark S. Miller" <erights@google.com>
Cc: Scott Wilson <scott.bradley.wilson@gmail.com>, public-webapps WG <public-webapps@w3.org>
On Tue, May 4, 2010 at 2:56 PM, Mark S. Miller <erights@google.com> wrote:
> On Tue, May 4, 2010 at 2:45 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>> > If these were limited to Uniform Messages, how much of a need would
>> > there
>> > still be to disallow them? What would the remaining threats be?
>> Would it allow reading resources behind corporate firewalls using a
>> browser running on a computer behind said firewall?
> Only if the resource responds with an "Access-Control-Allow-Origin: *"
> header.

Ah, I see what you mean. Yes, it seems to me like as long as the
normal "web cross origin policies" are applied (including things like
UMP, CORS, <img>, <iframe>) then it should be fine I would think.

Though I'm not a widget person so please don't rely on my answer.

/ Jonas
Received on Tuesday, 4 May 2010 22:01:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:07 UTC