On Mar 15, 2008, at 01:59, Eric Lawrence wrote:
XDR is intended for "public" data. We explicitly suggest that Intranet servers do not expose private data through this mechanism. In order to ensure that no existing servers/services (in any zone) are put at risk, XDR does not send credentials of any sort, and requires that the server acknowledge the cross-domain nature of the request via the response header.
In practice, though, cross-site requests for user-specific data are so interesting that people will do it anyway. The user will have to trust the third-party site with credentials or a token which will be encoded in the URI or in the POST payload. The inability to pass credentials/ token in the HTTP headers will not stop communicating that data--it'll only be communicated in an inconvenient way.
-- Henri Sivonen [EMAIL PROTECTED] http://hsivonen.iki.fi/
