jim.ley at gmail.com
Mon Mar 20 21:55:33 PST 2006
On 3/21/06, Gervase Markham <gerv at mozilla.org> wrote:
> Chris Holland wrote:
> > That's where the extra HTTP header would come-in:
> > "X-Allow-Foreign-Hosts": Forcing developers who expose such a service,
> > to make the conscious choice to expose data to the world, what Jim
> > refers to as "OPT-IN".
> I believe the usual objection to this (which was raised when I suggested
> something similar) is that some services respond to requests by doing
> something ]
The flaw in that argument is that img.src="..." is equivalent. If the
initial challenge request is a GET, which it of course the spec can
>- therefore, a model which allows cross-site requests has to
> check that the request is permitted before making it, not before
> processing the result.
Certainly, that's one of the issues with the header approach - the GET
and check for header or check magic URL for an XML doc, then make the
request should be safe from such issues. Both Mozilla dand Flash
already have that deployed and working.
More information about the whatwg