On Mon, Jun 13, 2011 at 2:19 PM, =JeffH <[email protected]> wrote: > Adam Barth <[email protected]> replied: >> On Sat, May 28, 2011 at 9:02 AM, Chris Weber <[email protected]> wrote: >>> Some minor suggestions on section "5.2. Network Access". >>> >>> "Access to network resources varies depending on whether the resources >>> are in the same origin as the document attempting to access them. >>> >>> Generally, reading information from another origin is forbidden." >>> >>> Based on the generality of the content that is allowed - images, script, >>> style sheets, it almost seems that the above sentence could be reversed >>> to >>> say that "Generally, reading information from another origin is allowed." >>> Otherwise, you could further demonstrate some of the cases where it is >>> generally forbidden, such as with XmlHttpRequest. >> >> The general case is that it is forbidden. It's only in the enumerated >> special cases that it is allowed. The number of enumerated cases >> isn't related to what happens in the general case. > > I think it depends on one's perspective. Perhaps it's "generally" forbidden > in browser internals, but if one's perspective is from within an HTML page, > then heck, I can have <IMG>, <SCRIPT>, <STYLE>, <OBJECT> (?), (others?), > "read information" from any origin, and <A> & <LINK> can link to any origin, > so it'd seem to me that it's fairly "general".
Generality isn't about prevalence. It's about defaults. The default is that reading isn't allowed. Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
