I don't think the presented XBL use case is valid:
"An XBL binding allows full access to the document it is bound to and therefore cross-origin XBL usage is prohibited. The resource sharing policy enables cross-origin XBL bindings. If the user is authenticated with the server that hosts the XBL widget it is possible to have a user-specific cross-origin bindings."
I'm not sure whether "an XBL binding allows full access to the document it is bound to" is talking about accessing the DOM of the bound-document or the binding-document, but I don't think either case requires access-control.
I don't see where the XBL spec says that the bound-document must have access to the binding-document, so I don't understand why cross-origin restrictions would apply.
And I don't understand why we should prohibit the XBL binding having access to the bound-document. That's the whole point of XBL, and we already have the same situation with <script src>. If you don't trust the XBL bindings then don't reference them, just like with scripts.
Anne van Kesteren wrote:
I took a stab at ACTION-11 which is currently assigned to Maciej: http://www.w3.org/2008/webapps/track/actions/11 http://dev.w3.org/2006/waf/access-control/#use-cases If this is good enough I suggest we close the action.
