Re: Cross-Origin Resource Embedding Restrictions

Anne van Kesteren wrote:
> And although it might end up being part of the Content Security Policy 
> work I think it would be useful if publish a Working Draft of this work 
> to gather more input, committing us nothing.
> What do you think?

Half way there, I don't follow why a line of js invokes an "everything 
cross-origin blocked by default" security model, and a line of html 
invokes an "everything allowed by default" security model. Nor do I 
follow why "origin" isn't just sent as standard with every request and 
access controlled by the server based on origin (rather than controlled 
only "by user agents which choose to follow the specs" offering an 
artificial screen).

However, on this specific draft, is there any chance you can move to a 
white-list/black-list model, where people can send either Allow-Origin 
or Deny-Origin, for instance in many scenarios I want to allow everyone 
except origins A and B who I know consistently "steal" bandwidth, or 
display my resources beside unsavoury ones.



Received on Tuesday, 1 March 2011 20:34:58 UTC