- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 11 May 2010 15:57:31 +0200
- To: nathan@webr3.org, "Mark S. Miller" <erights@google.com>
- Cc: "www-tag@w3.org" <www-tag@w3.org>
On Tue, 11 May 2010 15:47:41 +0200, Mark S. Miller <erights@google.com> wrote: > Given an apache compatible web server, you could add > > <FilesMatch "\.js$"> > Header set Access-Control-Allow-Origin "*" > </FilesMatch> > > in a root .htaccess file. Adding this header is a good idea for all > resources that parse as JavaScript anyway, as should be the case for all > *.js files and for all JSONP services, since these resources are already > not > protected by the Same Origin Policy. For these resources, adding this > header *cannot* result in any loss of security. Actually, that is incorrect. Being able to read the contents of a JavaScript is quite different from being able to execute a JavaScript file. E.g. there could be confidential comments in the file or some such. (I'm not saying that any of this is a good idea, just that it is not at all the same.) -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 11 May 2010 13:58:23 UTC