On 2008-02-19 08:48:58 +0100, Anne van Kesteren wrote: > No, these are completely different cases. What you're referring > to is ok for same-origin requests and is what the same-origin > requests still allow. Non same-origin requests probably require a > different policy though.
That's not obvious to me. So far, the basic model is that (a) cross-origin requests are treated roughly the same as same-origin requests, but (b) require specific authorization for precisely that reason. (See also the accountability thread.) -- Thomas Roessler, W3C <[EMAIL PROTECTED]>
