On Thursday, February 19, 2015 at 9:19:40 AM UTC+1, Anne van Kesteren wrote: > On Wed, Feb 18, 2015 at 7:16 PM, James Burke <[email protected]> wrote: > > Mobile use is really large. Native mobile apps do not have > > restrictions from these APIs. > > As indicated most don't need them either. > > > > If web sites are concerned about getting > > cross domain hits, they can get them now from native apps. > > The only reason "native apps" have these is because they are centrally > vetted and distributed. And not having that is what makes the web > great.
In some peoples' eyes this rather cripples the web since it can't run trusted (vetted) code which after the demise of NPAPI and ActiveX become an even bigger issue. http://www.cnet.com/news/google-paves-over-hole-left-by-chrome-plug-in-ban/ > > > > We definitely need to be careful, making sure we do not pass things > > like cookies for these types of requests, and to also allow for > > services to explicitly indicate they do not want to allow these types > > of connections, but what has been suggested instead of using these > > types of APIs does not seem better. > > XSRF is not the primary concern. Firewalled content is the concern. > > > -- > https://annevankesteren.nl/ _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
