gerv at mozilla.org
Mon Mar 20 16:20:40 PST 2006
Chris Holland wrote:
> That's where the extra HTTP header would come-in:
> "X-Allow-Foreign-Hosts": Forcing developers who expose such a service,
> to make the conscious choice to expose data to the world, what Jim
> refers to as "OPT-IN".
I believe the usual objection to this (which was raised when I suggested
something similar) is that some services respond to requests by doing
something - therefore, a model which allows cross-site requests has to
check that the request is permitted before making it, not before
processing the result.
I believe the Mozilla Foundation has done some work in this area using a
top-level site-wide XML document to specify what services can be
accessed cross-domain; but I don't know the details. Perhaps someone
else can chime in with them.
More information about the whatwg