CORS Questions

Hi All,

A couple of questions about CORS.

1: Why is CORS an opt-out setup instead of an opt-in?
eg why are all my resource hidden to js by default rather than exposed, 
then allowing me to limit access to specific resources at my discretion.

2: Why does CORS prevent this:

function doNastyStuff() {
	new client = new XMLHttpRequest();"GET", "intranet.corp.example/sensitive.json");

but allow this:

function doNastyStuff() {
	var script = document.createElement("script");
	script.src = 'intranet.corp.example/sensitive.json';



Received on Monday, 10 May 2010 22:43:35 UTC