- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 10 May 2010 11:38:32 +0200
- To: Nathan <nathan@webr3.org>
- Cc: "www-tag@w3.org" <www-tag@w3.org>
On Mon, 10 May 2010 11:16:54 +0200, Nathan <nathan@webr3.org> wrote: > long-term though, surely it's quite an issue that a web application, > running in a web browser, conforming to all the standards and the design > principals of the web, can't use the web? It's certainly annoying, but unless we start over I do not really see how we can change the (arguably broken) security fundamentals of the platform. (What is being protected here are servers on an intranet that do not require authentication and servers that use IP-based authentication. Without the same-origin protection evil.example could get data from intranet.corp.example if a user that is on an intranet with access to intranet.corp.example visits evil.example (e.g. via a phishing attack).) -- Anne van Kesteren http://annevankesteren.nl/
Received on Monday, 10 May 2010 09:39:26 UTC