On 6/20/11 12:57 PM, Robin Berjon wrote:
On Jun 20, 2011, at 12:23 , Marcos Caceres wrote:
On Mon, Jun 20, 2011 at 11:41 AM, Robin
Berjon<[email protected]> wrote:
You have origin restrictions in place. If you XHR to
perfectly-legit.com and it redirects to something protected inside
your network, unless you've used CORS to open up the latter (in which
case you're begging to get hurt) then you won't get anything.
The use case I was thinking about more centered around images, scripts,
and iframes, which are not really subject to CORS (though I can see how
they could be). Anyway, we already have origin="*", so probably doesn't
matter too much at this point.
