Anne van Kesteren wrote:
http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html
And although it might end up being part of the Content Security Policy
work I think it would be useful if publish a Working Draft of this work
to gather more input, committing us nothing.
What do you think?
Half way there, I don't follow why a line of js invokes an "everything
cross-origin blocked by default" security model, and a line of html
invokes an "everything allowed by default" security model. Nor do I
follow why "origin" isn't just sent as standard with every request and
access controlled by the server based on origin (rather than controlled
only "by user agents which choose to follow the specs" offering an
artificial screen).
However, on this specific draft, is there any chance you can move to a
white-list/black-list model, where people can send either Allow-Origin
or Deny-Origin, for instance in many scenarios I want to allow everyone
except origins A and B who I know consistently "steal" bandwidth, or
display my resources beside unsavoury ones.
Best,
Nathan