On Tue, Jun 9, 2009 at 12:09 PM, Anne van Kesteren<[email protected]> wrote: > On Tue, 09 Jun 2009 18:38:47 +0200, Tyler Close <[email protected]> wrote: >> So requests from XMLHttpRequest have an Origin header, and requests >> from GuestXMLHttpRequest don't. The server should treat requests >> coming from GuestXMLHttpRequest as bits arriving from an unknown >> client (ie: a "guest"), and so only authorize them based on >> information explicitly included in the request. > > FWIW, I think we need a little more motivation for GuestXMLHttpRequest. It > seems to me that a seamless sandboxed <iframe> addresses the use case brought > forward and does so better (and more complete) than adding a new constructor > for XMLHttpRequest.
Could you provide a code example that shows how to send an XHR request to the same Origin without credentials using the HTML5 <iframe> element? --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
