On Tue, 14 Apr 2009 14:34:11 +0200, Arthur Barstow <[email protected]>
wrote:
On Apr 14, 2009, at 6:33 AM, ext Thomas Roessler wrote:
So, to pick up on this discussion again -- I don't think we've had a
useful conclusion whether or not the client-side JavaScript code ought
to explicitly enable cross-site requests (as Tyler suggests, and as IE
implements in XDR) or not.
All things considered, any thoughts?
I tend to think that when adding new semantics, it generally makes sense
to add new syntax to support those semantics and in this case that it
would be better to err on the side of caution even if the mechanism
chosen isn't particularly friendly to the app developer.
Yes, it would be good to get others thoughts on this, particularly those
that have implemented CORS.
If you still feel this way I suggest you put it on the agenda for TPAC so
we can briefly discuss it there. Otherwise I suggest we consider this
resolved considering that implementations are shipping.
I personally think keeping the API the way it is now is nicer and the
security issue seems highly theoretical.
--
Anne van Kesteren
http://annevankesteren.nl/
