Re: [widgets] WARP default policy

On Tue, May 4, 2010 at 2:56 PM, Mark S. Miller <> wrote:
> On Tue, May 4, 2010 at 2:45 PM, Jonas Sicking <> wrote:
>> > If these were limited to Uniform Messages, how much of a need would
>> > there
>> > still be to disallow them? What would the remaining threats be?
>> Would it allow reading resources behind corporate firewalls using a
>> browser running on a computer behind said firewall?
> Only if the resource responds with an "Access-Control-Allow-Origin: *"
> header.

Ah, I see what you mean. Yes, it seems to me like as long as the
normal "web cross origin policies" are applied (including things like
UMP, CORS, <img>, <iframe>) then it should be fine I would think.

Though I'm not a widget person so please don't rely on my answer.

/ Jonas

Received on Tuesday, 4 May 2010 22:01:40 UTC