* J. Chris Anderson: > Because of the sensitive nature of security issues we've been > discussing this on the security list.
Uhm, it's not really sensitive, given that authentication is such a recent feature. > You've mentioned a couple of times that XHR can make cross-domain > post requests. I'm not sure this is the case (I know you can do > cross domain form posts). It's true for some Webkit-derived browsers (but I haven't checked the major implementations, Safari and Chrome). Firefox can also submit almost arbitrary POST data (certainly valid JSON syntax) using a form with enctype="text/plain", and the HttpOnly cookie is passed along.
