Term user credentials defined but not used in XHR CR

User credentials is defined in section 2.2 of [1], but never used. Jonathan [1] http://www.w3.org/TR/2010/CR-XMLHttpRequest-20100803/

[widgets] Authorities will never have authority?

Sorry, I missed the followup on Larry's email http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0131.html - can someone tell me where this is tracked? Specifically I want to check that the 'authority' component is adequately futureproofed. Devoid of semantics could mean devoid in this

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

Comments inline On Sun, Dec 13, 2009 at 9:15 PM, Maciej Stachowiak m...@apple.com wrote: On Dec 13, 2009, at 3:47 PM, Mark S. Miller wrote: On Sun, Dec 13, 2009 at 3:19 PM, Maciej Stachowiak m...@apple.com wrote: The literature you cited seems to mostly be about whether capability systems

Re: [cors] unaddressed security concerns

Comments below On Thu, Oct 22, 2009 at 6:12 PM, Doug Schepers schep...@w3.org wrote: Let's take it a step further, and propose a worst-case scenario.  Say that some undetected hypothetical vulnerability in CORS is discovered some years from now, with a degree of severity akin to CSRF. At

Re: [cors] unaddressed security concerns

On Mon, Oct 12, 2009 at 2:36 AM, Anne van Kesteren ann...@opera.com wrote: On Sat, 10 Oct 2009 01:36:50 +0200, Mark S. Miller erig...@google.com wrote: The last of the links above should make the application to CORS concrete. See also the dismissive replies which followed in that thread. If

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

I think this may be a foolish question, but is the value of Origin: limited to sites? Couldn't it be an individual web page (URI)? Or a wildcard? Is there some principled reason for such a limitation (if it exists)? I took a look at the HTML5 draft (cited by CORS) and couldn't quite figure this

Re: Sketch of an idea to address widget/package addressing with fragID syntax and media-type defn.

On Dec 6, 2008, at 9:58 AM, timeless wrote: On Fri, Dec 5, 2008 at 3:42 PM, Jonathan Rees [EMAIL PROTECTED] wrote: I hate to burst ignorantly into a discussion I know little about... but that's what I'm going to do. Forgive me. Regarding the creation of local URIs for use in APIs

Re: Sketch of an idea to address widget/package addressing with fragID syntax and media-type defn.

I hate to burst ignorantly into a discussion I know little about... but that's what I'm going to do. Forgive me. Regarding the creation of local URIs for use in APIs requiring URIs: I want to consider, just as a what-if meant for clarification of requirements, the use of the tag: URI