[whatwg] JSONRequest

[Gervase Markham]

Darin Fisher wrote:
> Keep in mind that there is also the problem that the POST request may
> have undesirable side-effects.  The web app probably needs a request
> header from the browser to tell it what domain is sending it data.  The
> Referer header is not sufficient since the browser will not send a HTTPS
> referrer-URI over plaintext.

And Referer, of course, is optional. And having something which is
compulsory might raise privacy issues.

> We need to restrict READs as well as WRITEs when it comes to XSS ;-)

Good point; I'd forgotten that.

Gerv