- From: Jim Ley <jim.ley@gmail.com>
- Date: Tue, 21 Mar 2006 05:55:33 +0000
On 3/21/06, Gervase Markham <gerv at mozilla.org> wrote: > Chris Holland wrote: > > That's where the extra HTTP header would come-in: > > "X-Allow-Foreign-Hosts": Forcing developers who expose such a service, > > to make the conscious choice to expose data to the world, what Jim > > refers to as "OPT-IN". > > I believe the usual objection to this (which was raised when I suggested > something similar) is that some services respond to requests by doing > something ] The flaw in that argument is that img.src="..." is equivalent. If the initial challenge request is a GET, which it of course the spec can require. >- therefore, a model which allows cross-site requests has to > check that the request is permitted before making it, not before > processing the result. Certainly, that's one of the issues with the header approach - the GET and check for header or check magic URL for an XML doc, then make the request should be safe from such issues. Both Mozilla dand Flash already have that deployed and working. Jim.
Received on Monday, 20 March 2006 21:55:33 UTC