Using a variation on the example in the spec...
var password = ... // global variable holds user's password
function deleteItem(itemURL, updateUI) {
var client = new XMLHttpRequest()
client.open("DELETE", itemURL)
client.onload = updateUI
client.onerror = updateUI
client.onabort = updateUI
client.send("password=" + password)
}
Well, if a script can rely on someone being as foolish as to store
their username and password as globals then why bother working that
hard...just ping a url with them. I can't see how this is relevant to
the spec in terms of a specific vulnerability.
ss