Adam Barth <[email protected]> replied: > On Sat, May 28, 2011 at 9:02 AM, Chris Weber <[email protected]> wrote: >> Some minor suggestions on section "5.2. Network Access". >> >> "Access to network resources varies depending on whether the resources >> are in the same origin as the document attempting to access them. >> >> Generally, reading information from another origin is forbidden." >> >> Based on the generality of the content that is allowed - images, script, >> style sheets, it almost seems that the above sentence could be reversed to >> say that "Generally, reading information from another origin is allowed." >> Otherwise, you could further demonstrate some of the cases where it is >> generally forbidden, such as with XmlHttpRequest. > > The general case is that it is forbidden. It's only in the enumerated > special cases that it is allowed. The number of enumerated cases > isn't related to what happens in the general case.
I think it depends on one's perspective. Perhaps it's "generally" forbidden in browser internals, but if one's perspective is from within an HTML page, then heck, I can have <IMG>, <SCRIPT>, <STYLE>, <OBJECT> (?), (others?), "read information" from any origin, and <A> & <LINK> can link to any origin, so it'd seem to me that it's fairly "general".
=JeffH _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
