- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 27 Aug 2010 13:30:48 +0200
- To: public-webapps <public-webapps@w3.org>, "Devdatta Akhawe" <dev.akhawe@gmail.com>
On Sat, 21 Aug 2010 03:59:09 +0200, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > It seems that over here facebook is a benign server that some time in > the past assumed that XHR can only be same origin, and with the > introduction of cross origin XHR is suddenly vulnerable to XSS. In > general, a client needs to 'add' stuff to its js to be safe after the > introduction of XHR. This isn't ideal. Yeah, this was discussed some time ago on this list already. We decided this risk was minor enough, especially now lots of shipping clients expose this already. -- Anne van Kesteren http://annevankesteren.nl/
Received on Friday, 27 August 2010 11:31:26 UTC