On Sun, 14 Mar 2010 02:45:26 +0100, Brett Zamir <bret...@yahoo.com> wrote:
Servers are already free to obtain and mix in content from other
sites, so why can't client-side HTML JavaScript be similarly empowered?
Because you would also have access to e.g. IP-authenticated servers.
As suggested above, could a header be required on compliant browsers to
send a header along with their request indicating the originating
server's domain?
No, existing servers would still be vulnerable.
--
Anne van Kesteren
http://annevankesteren.nl/
