- From: Nathan <nathan@webr3.org>
- Date: Tue, 01 Mar 2011 20:33:04 +0000
- To: Anne van Kesteren <annevk@opera.com>
- CC: WebApps WG <public-webapps@w3.org>
Anne van Kesteren wrote: > http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html > > And although it might end up being part of the Content Security Policy > work I think it would be useful if publish a Working Draft of this work > to gather more input, committing us nothing. > > What do you think? Half way there, I don't follow why a line of js invokes an "everything cross-origin blocked by default" security model, and a line of html invokes an "everything allowed by default" security model. Nor do I follow why "origin" isn't just sent as standard with every request and access controlled by the server based on origin (rather than controlled only "by user agents which choose to follow the specs" offering an artificial screen). However, on this specific draft, is there any chance you can move to a white-list/black-list model, where people can send either Allow-Origin or Deny-Origin, for instance in many scenarios I want to allow everyone except origins A and B who I know consistently "steal" bandwidth, or display my resources beside unsavoury ones. Best, Nathan
Received on Tuesday, 1 March 2011 20:34:58 UTC