On Sep 28, 2008, at 3:32 AM, Robert O'Callahan wrote:
On Sun, Sep 28, 2008 at 10:52 PM, Michal Zalewski <[EMAIL PROTECTED]>
wrote:
other browsers are getting cross-domain XMLHttpRequest headers
Using the W3C Access Controls spec, which I am suggesting to reuse
here. If you're not familiar with that spec, it's here: http://www.w3.org/TR/access-control/
Now consider that "I-Do-Not-Want-To-Be-Loaded-Across-Domains" is
also inherently incompatible with mashups, content separation,
gadgets, etc, and there is a very vocal group of proponents and
promotors for these technologies (which is why browser vendors are
implementing cross-domain XMLHttpRequest to begin with). So we would
probably rather want to say "I-Want-To-Be-Loaded-Only-By:
<list_of_domains>".
I'm suggesting just reusing the Access Controls spec for that.
So for example, the server could say:
Same-Origin-Only-Unless-Access-Controls-Says-Otherwise: yes
Access-Control-Allow-Origin: http://example.com
I think this is a really good proposal. It would allow Web sites to
place all content under a single uniform policy for access control, as
opposed to the state today where cross-site access depends on how the
resource is embedded.
Would "Require-Access-Control" be an adequate synonym for "Same-Origin-
Only-Unless-Access-Controls-Says-Otherwise", on the assumption that
same-origin access always satisfies access control?
Regards,
Maciej
