[whatwg] Re: Cross Domain Policies

First of all to dispell the myth of cross domain scripting:

Cross domain scripting is easily doable in all browsers today, and it
won't change.  Any domain can include javascript files from any other
domain.  That allows 2 way communications.  Done.

This doesn't make web services less secure - most programing toolkits
allow cross domain web services without any restrictions.  Publically
available web services are obviously meant to be consumed by anyone. 
If they want to restrict, they can use username/passwords to do that,
as does Google.

The only reason we didn't allow cross domain web services access are
intranets - since mozilla does the actually SOAP connection, user A in
a workplace with internet and intranet access could get to evil.com,
which talks to an intranet web service.

Received on Monday, 26 July 2004 15:07:33 UTC