- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 17 Jul 2012 23:05:18 +0000 (UTC)
- To: Bronislav Klučka <Bronislav.Klucka@bauglir.com>
- cc: public-webapps@w3.org
- Message-ID: <Pine.LNX.4.64.1207172254110.27616@ps20323.dreamhostps.com>
On Wed, 18 Jul 2012, Bronislav Klu~Mka wrote:
>
> Since script is loaded using HTTP, why not use already defined CORS headers on
> server side while serving those scripts?
CORS is the wrong semantic. It's not "origin A is allowed to read content
from origin B", it's "origin A is allowed to cause origin B to run code",
which is a very different threat model. It would be quite bad for us to
say that any file that you can read from another origin, you can cause to
be executed as script in that origin.
> And if you want it to be defined in JS file itself, I'll suggest "use
> strict" approach:
>
> file> ---------------------------------------------------------------
> "Access-Control-Allow-Origin: *";
> (function(){
> "use strict";
> var x = 5;
> })();
> ---------------------------------------------------------------<file
Whether it's a string or a comment seems like a detail. If we do do this,
I expect we'll find something that's somewhat language-agnostic (e.g.
allowing any leading and trailing punctuation on the first line, or
something to that effect).
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 17 July 2012 23:05:40 UTC