W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2010

[whatwg] Lifting cross-origin XMLHttpRequest restrictions?

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 12 Mar 2010 08:41:28 +0100
Message-ID: <op.u9f2bera64w2qv@annevk-t60>
On Fri, 12 Mar 2010 08:35:48 +0100, Brett Zamir <brettz9 at yahoo.com> wrote:
> My apologies if this has been covered before, or if my asking this is a  
> bit dense, but I don't understand why there are restrictions on  
> obtaining data via XMLHttpRequest from other domains, if the request  
> could be sandboxed to avoid passing along sensitive user data like  
> cookies (or if the user could be asked for permission, as when  
> installing browser extensions that offer similar privileges).

Did you see

   http://dev.w3.org/2006/webapi/XMLHttpRequest-2/
   http://dev.w3.org/2006/waf/access-control/

?


> Servers are already free to obtain and mix in content from other sites,  
> so why can't client-side HTML JavaScript be similarly empowered?

Because you would also have access to e.g. IP-authenticated servers.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Thursday, 11 March 2010 23:41:28 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:21 UTC