[whatwg] Lifting cross-origin XMLHttpRequest restrictions?

Anne van Kesteren annevk at opera.com
Sun Mar 14 03:06:58 PDT 2010

On Sun, 14 Mar 2010 02:45:26 +0100, Brett Zamir <brettz9 at yahoo.com> wrote:
>>> Servers are already free to obtain and mix in content from other
>>> sites, so why can't client-side HTML JavaScript be similarly empowered?
>> Because you would also have access to e.g. IP-authenticated servers.
> As suggested above, could a header be required on compliant browsers to
> send a header along with their request indicating the originating
> server's domain?

No, existing servers would still be vulnerable.

Anne van Kesteren

More information about the whatwg mailing list