- From: David Bruant <david.bruant@labri.fr>
- Date: Wed, 15 Jun 2011 12:43:33 +0200
- To: public-webapps@w3.org
Hi, I've been thinking a lot about same-origin policy recently. I understand the protection it provides when it comes to cross-frame communication, but I'm having a hard time understanding what it protects from when it comes to cross-origin XHR. Over the years, web sites have moved to web apps and to just apps. These apps are client applications able to download content from different origin and mashup content. Interestingly, the notion of origin does not apply to these apps. Basically, being installed as independent pieces of software, rather than from loaded from a particular source in a web browser, they are origin-free. This already applied to other client applications such as crawlers. To summurize, the same application (if written in JS for instance) could perform cross-domain XHR if installed as stand-alone, but cannot if running within a web browser (which granted it an origin and applied same-origin restrictions). Could someone explain how running in a web browser justify such a difference? For instance, could someone explain a threat particular to cross-origin XHR in web browser? Thanks, David
Received on Wednesday, 15 June 2011 10:44:15 UTC