On 3/21/06, Gervase Markham <[EMAIL PROTECTED]> wrote: > Chris Holland wrote: > > That's where the extra HTTP header would come-in: > > "X-Allow-Foreign-Hosts": Forcing developers who expose such a service, > > to make the conscious choice to expose data to the world, what Jim > > refers to as "OPT-IN". > > I believe the usual objection to this (which was raised when I suggested > something similar) is that some services respond to requests by doing > something ]
The flaw in that argument is that img.src="..." is equivalent. If the initial challenge request is a GET, which it of course the spec can require. >- therefore, a model which allows cross-site requests has to > check that the request is permitted before making it, not before > processing the result. Certainly, that's one of the issues with the header approach - the GET and check for header or check magic URL for an XML doc, then make the request should be safe from such issues. Both Mozilla dand Flash already have that deployed and working. Jim.