On 2009/09/29 19:07:57, jlabanca wrote: > You can read through this doc for details: > https://developer.mozilla.org/En/HTTP_access_control [...] > Its a feature, not a bug. FireFox has adopted a new proposed standard where its > up to the server to determine which origins can access the content.
I've been told that Safari 4 also implements CORS: http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/ And WFIW, these tests pass in Chrome 4 too: http://arunranga.com/examples/access-control/ Note that hacks.mozilla.org suggests a capability detection (xhr.withCredentials !== undefined or "withCredentials" in xhr) > At some point, we should setup a publicly visible server that always denies > cross site requests. It would be helpful to us and others. Isn't it the case by default for any server? (since allowing –for the script– a cross-origin request is signaled by a specific header) Or were you rather thinking about a server that checks the Origin request-header and replies with a 403 or similar? Oh, and BTW, see also http://tools.ietf.org/html/draft-abarth-origin (its more about CSRF mitigation, but still useful to know about it, given that it also defines an Origina request header) http://gwt-code-reviews.appspot.com/73802 --~--~---------~--~----~------------~-------~--~----~ http://groups.google.com/group/Google-Web-Toolkit-Contributors -~----------~----~----~----~------~----~------~--~---
