On Thu, 20 Dec 2007 02:17:29 +0100, Close, Tyler J. <[EMAIL PROTECTED]>
wrote:
There is also a significant factual error in the document's Introduction:
"""
However, it is not possible to exchange the contents of resources or
manipulate resources "cross-domain".
"""
It *is* possible to manipulate resources "cross-domain". An HTML page
can contain a FORM which submits an HTTP request "cross-domain".
Submission of this request can be automated using Javascript. The Same
Origin Policy only prevents the HTML page from accessing the response to
the issued request. Manipulation is allowed. Only responses are
protected, not requests.
Ian already replied to your earlier comment. I believe the introduction is
"fixed" in the editor's draft:
http://dev.w3.org/2006/waf/access-control/#introduction
Below are comments from Doug Crockford:
[...] I believe there are more elegant and reliable approaches to
providing a safe alternatives to the script tag hack.
I'd be interested in hearing about such a proposal.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
