On Tue, 19 Feb 2008 12:23:04 +0100, Thomas Roessler <[EMAIL PROTECTED]> wrote:
On 2008-02-19 08:48:58 +0100, Anne van Kesteren wrote:
No, these are completely different cases. What you're referring
to is ok for same-origin requests and is what the same-origin
requests still allow. Non same-origin requests probably require a
different policy though.
That's not obvious to me. So far, the basic model is that (a)
cross-origin requests are treated roughly the same as same-origin
requests, but (b) require specific authorization for precisely that
reason. (See also the accountability thread.)
That only holds true for non-GET. See my other e-mail where I made a
proposal on how to deal with this. (Though I haven't filled in the
specifics yet.)
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
