[whatwg] XML data islands related question

Anne van Kesteren annevk at annevk.nl
Thu Aug 8 07:05:52 PDT 2013

On Thu, Aug 8, 2013 at 3:01 PM, Jukka K. Korpela <jkorpela at cs.tut.fi> wrote:
> 2013-08-08 9:13, Ian Hickson wrote:
>> XHR uses the same underlying logic as <img src=""> and <script src="">. If
>> you're able to conjur a file up for <img src=""> or <script src="">, then
>> I don't see why you wouldn't be able to conjur it up for XHR.
> When a local HTML file is opened in a browser and it accesses local files,
> with simple relative URLs like "foo.png" or "bar.js", <img src=""> and
> <script src=""> do not cause HTTP requests of any kind.

XMLHttpRequest works for file URLs as well. In practice browsers often
have this pref-controlled and it's disabled by default for security
reasons (or a somewhat more complicated story). It's not too different
really. I would expect the same to apply to any similar kind of API as
it is mostly about being able to access the data rather than anything


More information about the whatwg mailing list