[whatwg] Behavior when <script> is removed from DOM
Mark S. Miller
erights at google.com
Thu Dec 8 15:00:37 PST 2011
On Thursday, December 8, 2011, Jonas Sicking wrote:
> > Given only that the JSONP response has a ACCESS-CONTROL-ALLOW-ORIGIN:*
> > header, the API you suggest below can be fully implemented as a library.
> > anyway, rather than carve out a special case for JSONP, should we waive
> > the ACCESS-CONTROL-ALLOW-ORIGIN:* requirement on responses that parse as
> out a
> > special case for JSONP?
> There's two *possible* reasons to treat JSONP special.
> The weak reason would be to support existing JSONP-serving servers
> which are out there already. JSONP appears to be one of the more
> popular formats for HTTP-based APIs right now.
> The stronger reason is that it appears that people have a very hard
> time setting http headers. While this seems surprising to me,
> especially in situations like this where you already have server-side
> scripts generating dynamic content, it is feedback that I get *a lot*.
> Another option would be some way to express CORS signals inline in
> content. This actually existed in early CORS drafts, but only for XML
> based contents which made it a lot less appealing. Especially since
> the XML based content had to be served with a proper Content-Type
> header which puts us back at square one.
is interpreted as an inline signal, since same-origin protection for these
responses make no sense. The reason why you're willing to carve out a
special case for JSONP is precisely because these responses, parsing as
> / Jonas
More information about the whatwg