- From: Gervase Markham <gerv@mozilla.org>
- Date: Tue, 21 Mar 2006 00:20:40 +0000
Chris Holland wrote: > That's where the extra HTTP header would come-in: > "X-Allow-Foreign-Hosts": Forcing developers who expose such a service, > to make the conscious choice to expose data to the world, what Jim > refers to as "OPT-IN". I believe the usual objection to this (which was raised when I suggested something similar) is that some services respond to requests by doing something - therefore, a model which allows cross-site requests has to check that the request is permitted before making it, not before processing the result. I believe the Mozilla Foundation has done some work in this area using a top-level site-wide XML document to specify what services can be accessed cross-domain; but I don't know the details. Perhaps someone else can chime in with them. Gerv
Received on Monday, 20 March 2006 16:20:40 UTC