[whatwg] Lifting cross-origin XMLHttpRequest restrictions?
Anne van Kesteren
annevk at opera.com
Thu Mar 11 23:41:28 PST 2010
On Fri, 12 Mar 2010 08:35:48 +0100, Brett Zamir <brettz9 at yahoo.com> wrote:
> My apologies if this has been covered before, or if my asking this is a
> bit dense, but I don't understand why there are restrictions on
> obtaining data via XMLHttpRequest from other domains, if the request
> could be sandboxed to avoid passing along sensitive user data like
> cookies (or if the user could be asked for permission, as when
> installing browser extensions that offer similar privileges).
Did you see
http://dev.w3.org/2006/webapi/XMLHttpRequest-2/
http://dev.w3.org/2006/waf/access-control/
?
> Servers are already free to obtain and mix in content from other sites,
> so why can't client-side HTML JavaScript be similarly empowered?
Because you would also have access to e.g. IP-authenticated servers.
--
Anne van Kesteren
http://annevankesteren.nl/
More information about the whatwg
mailing list