- From: Nathan <nathan@webr3.org>
- Date: Mon, 10 May 2010 23:42:21 +0100
- To: public-webapps@w3.org
- CC: Anne van Kesteren <annevk@opera.com>
Hi All,
A couple of questions about CORS.
1: Why is CORS an opt-out setup instead of an opt-in?
eg why are all my resource hidden to js by default rather than exposed,
then allowing me to limit access to specific resources at my discretion.
2: Why does CORS prevent this:
function doNastyStuff() {
new client = new XMLHttpRequest();
client.open("GET", "intranet.corp.example/sensitive.json");
}
but allow this:
function doNastyStuff() {
var script = document.createElement("script");
script.src = 'intranet.corp.example/sensitive.json';
document.body.appendChild(script);
}
Best,
Nathan
Received on Monday, 10 May 2010 22:43:35 UTC