"Mark Nottingham" <[EMAIL PROTECTED]>
Except of course you only allow them if there's some hypothetical cross
domain XHR, something which doesn't exist,
AIUI that's under discussion in a TF now.
So the task force can decide the behaviour rather than pre-empting their
conclusions with a MUST or SHOULD that is only relevant after they have
decided. Given that at least one likely conclusion will be a whitelist file
allowing cross domain from such sites, your use case is met without
endangering user freedoms.
and then usefully there's a way
of taking an XHR stream and converting it to an image or video stream,
again
something that doesn't exist.
You're losing me here; how do "image or video streams" come into it?
Because anything included in an IFRAME or new window is already trivially
able to be retrieved without a referrer header in the vast majority of UAs
that support script today. The only things you cannot do is add an image
with img (you can with iframe) or css background or content in an embed
element, so the only relevant protection you're introducing is in these
formats, not simple HTML or text documents.
The most prominent being the same Accessibility Testing assistant
mentioned
elsewhere.
ref?
http://www.w3.org/mid/[EMAIL PROTECTED]
Cheers,
Jim.
