- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 5 Jan 2015 12:45:26 +0100
- To: Tim Berners-Lee <timbl@w3.org>
- Cc: Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
On Mon, Jan 5, 2015 at 12:26 PM, Tim Berners-Lee <timbl@w3.org> wrote: > They are not. Data is special Right. I think you could make your point more clear if rather than talking about scripts (which could themselves create <script> elements and such) you instead focused on the use case you care about, loading some data from another origin. There's already a problem with that today, it requires the other origin to use CORS. If it does not have that you need to use a proxy (or indeed a native app). If you want to authenticate your application it requires the other origin to support TLS (in addition to CORS). Again, you can use a proxy to circumvent this (or indeed a native app). Not having these restrictions in place enables all kinds of attacks and classic bugs ;-) -- https://annevankesteren.nl/
Received on Monday, 5 January 2015 11:45:55 UTC