- From: Maciej Stachowiak <mjs@apple.com>
- Date: Mon, 29 Sep 2008 21:33:24 -0700
On Sep 28, 2008, at 3:32 AM, Robert O'Callahan wrote: > On Sun, Sep 28, 2008 at 10:52 PM, Michal Zalewski <lcamtuf at dione.cc> > wrote: > other browsers are getting cross-domain XMLHttpRequest headers > > Using the W3C Access Controls spec, which I am suggesting to reuse > here. If you're not familiar with that spec, it's here: http://www.w3.org/TR/access-control/ > > Now consider that "I-Do-Not-Want-To-Be-Loaded-Across-Domains" is > also inherently incompatible with mashups, content separation, > gadgets, etc, and there is a very vocal group of proponents and > promotors for these technologies (which is why browser vendors are > implementing cross-domain XMLHttpRequest to begin with). So we would > probably rather want to say "I-Want-To-Be-Loaded-Only-By: > <list_of_domains>". > > I'm suggesting just reusing the Access Controls spec for that. > > So for example, the server could say: > Same-Origin-Only-Unless-Access-Controls-Says-Otherwise: yes > Access-Control-Allow-Origin: http://example.com I think this is a really good proposal. It would allow Web sites to place all content under a single uniform policy for access control, as opposed to the state today where cross-site access depends on how the resource is embedded. Would "Require-Access-Control" be an adequate synonym for "Same-Origin- Only-Unless-Access-Controls-Says-Otherwise", on the assumption that same-origin access always satisfies access control? Regards, Maciej -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080929/55b23fae/attachment.htm>
Received on Monday, 29 September 2008 21:33:24 UTC