The draft should probably explicitly indicate that's trying to solve the data theft problem. (As in, we don't allow cross-domain access because that might potentially expose information on intranets etc.) That other specifications using the machanism should forbid access to HTTP headers, cookies, etc. and that scripts, if any, should run in the same origin as that of the document that does the request. See also:
http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012 -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
