Adam Barth wrote:
On Fri, May 30, 2008 at 2:02 PM, Jonas Sicking <[EMAIL PROTECTED]> wrote:
With Access-Control-Origin it is easy to block all cross-site requests where
the requesting site can read the resulting data.
If you think this is an important use case, why not add a specific
header that says "this is a cross-site XMLHttpRequest" instead of
overloading the Access-Control-Origin header?
What I think is needed is a "this is a cross-site Access-Control
request". Which I think is pretty close to what Access-Control-Origin was.
/ Jonas
