It's great to see this happen; I've read over the proposal and draft and it sounds like the right things are identified. One quick question: why do this as a set of HTTP headers and not as a simple configuration file, such as the crossdomain.xml file that Flash does? The reason I say this is that usually those who can control HTTP headers and those who write HTML are two very different groups. Not saying that HTTP is bad just wondering if you had gone through the thought process of having this configuration be in something like a crossdomain.xml type file.
Best, Brad Neuberg http://codinginparadise.org _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
