Using a variation on the example in the spec... var password = ... // global variable holds user's passwordfunction deleteItem(itemURL, updateUI) { var client = new XMLHttpRequest() client.open("DELETE", itemURL) client.onload = updateUI client.onerror = updateUI client.onabort = updateUI client.send("password=" + password) }
Well, if a script can rely on someone being as foolish as to store their username and password as globals then why bother working that hard...just ping a url with them. I can't see how this is relevant to the spec in terms of a specific vulnerability.
ss
