Terri wrote: > There's no way for the > external content provider to say "no, that's an action-causing script, > we don't let other people use that" on requests that are "safe".
That's right - because if there was, we'd have to do checks on every cross-domain request a page made. And the performance impact of all the HEAD requests would be significant. If the implementation were to switch from that to a single policy file, such as crossdomain.xml, then that problem would be eliminated - but a set of different problems would be created. Again, I think we need to focus on the fact that SSP is a belt-and-braces approach. If you use sensible coding practices, it helps you when there's a slip-up. If you do non-idempotent operations using GET, then (the current formulation, at least) doesn't help you. Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security