[whatwg] JSONRequest

Gervase Markham gerv at mozilla.org
Mon Mar 13 14:23:10 PST 2006

Darin Fisher wrote:
> Keep in mind that there is also the problem that the POST request may
> have undesirable side-effects.  The web app probably needs a request
> header from the browser to tell it what domain is sending it data.  The
> Referer header is not sufficient since the browser will not send a HTTPS
> referrer-URI over plaintext.

And Referer, of course, is optional. And having something which is
compulsory might raise privacy issues.

> We need to restrict READs as well as WRITEs when it comes to XSS ;-)

Good point; I'd forgotten that.


More information about the whatwg mailing list