On Tue, 10 Feb 2009 13:00:35 +0100, Sean Hogan <shogu...@westnet.com.au>
wrote:
I don't think the presented XBL use case is valid:
"An XBL binding allows full access to the document it is bound to and
therefore cross-origin XBL usage is prohibited. The resource sharing
policy enables cross-origin XBL bindings. If the user is authenticated
with the server that hosts the XBL widget it is possible to have a
user-specific cross-origin bindings."
I'm not sure whether "an XBL binding allows full access to the document
it is bound to" is talking about accessing the DOM of the bound-document
or the binding-document, but I don't think either case requires
access-control.
I don't see where the XBL spec says that the bound-document must have
access to the binding-document, so I don't understand why cross-origin
restrictions would apply.
And I don't understand why we should prohibit the XBL binding having
access to the bound-document. That's the whole point of XBL, and we
already have the same situation with <script src>. If you don't trust
the XBL bindings then don't reference them, just like with scripts.
That example is based on
http://www.w3.org/TR/2007/CR-xbl-20070316/#security
and maybe some discussion with Ian regarding this. It's been a while.
Does that help?
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>