W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2010

[whatwg] Lifting cross-origin XMLHttpRequest restrictions?

From: Anne van Kesteren <annevk@opera.com>
Date: Sun, 14 Mar 2010 11:06:58 +0100
Message-ID: <op.u9jydnd664w2qv@annevk-t60>
On Sun, 14 Mar 2010 02:45:26 +0100, Brett Zamir <brettz9 at yahoo.com> wrote:
>>> Servers are already free to obtain and mix in content from other
>>> sites, so why can't client-side HTML JavaScript be similarly empowered?
>>
>> Because you would also have access to e.g. IP-authenticated servers.
>
> As suggested above, could a header be required on compliant browsers to
> send a header along with their request indicating the originating
> server's domain?

No, existing servers would still be vulnerable.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Sunday, 14 March 2010 03:06:58 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:21 UTC