On Feb 7, 2008, at 19:15, Close, Tyler J. wrote:
Is the user or the Referer-Root site accountable for a cross-domain non-GET request? Does the proposed protocol make it possible for the site hosting the resource to correctly determine the answer to that question?
XHR is driven by scripts written in a Turing-complete imperative programming language. Making the browser analyze the relationship of user action and XHR action is not a solvable problem in the general case.
So instead of trying to analyze what the script does, we are left with the belief of trust that the script acts properly on the user's behalf. If recipient of the cross-site request chooses to trust an untrustworthy site, all bets are off when it comes to placing the blame on the user vs. a rogue script.
-- Henri Sivonen [EMAIL PROTECTED] http://hsivonen.iki.fi/
