- From: Maciej Stachowiak <mjs@apple.com>
- Date: Sun, 19 Feb 2006 18:37:27 -0800
- To: Ian Hickson <ian@hixie.ch>
- Cc: Brad Porter <bwporter@tellme.com>, Anne van Kesteren <annevk@opera.com>, www-voice@w3.org, public-webapi@w3.org, public-appformats@w3.org, mozilla-xbl@mozilla.org
On Feb 19, 2006, at 6:32 PM, Ian Hickson wrote: > On Sat, 18 Feb 2006, Maciej Stachowiak wrote: >> >> I thought about this some more, and it no longer makes sense to >> me. If >> off-site XBL runs in the security context of the referencing >> document, >> not the XBL document, then why would <?access-control?> be useful? > > You want to prevent people from being able to use off-site XBL files > without those files being intended for that purpose because > otherwise you > would be allowed to fetch any arbitrary XML on any site (including, > e.g., > authenticated extranet or intranet sites). OK, makes sense for this use case. Thanks for the explanation. I did not think of the XBL file itself as potentially being the target of unauthorized data access. Regards, Maciej
Received on Monday, 20 February 2006 02:38:43 UTC