Open mounirlamouri opened 11 years ago
Nice summary. I'm for not changing default behaviour of XHR, but allowing faking the origin on privileged applications. I described a potential solution here:
http://lists.w3.org/Archives/Public/public-sysapps/2013Mar/0183.html
Just to make sure credit is given, the summary has been made by John Lyle, not me.
I think I would prefer a solution along the lines of the one you proposed which is very close to what @sicking proposed too.
I wonder if we should discuss implications with @annevk also? As Editor of both XHR and CORS, he probably has some helpful views on this.
This does not affect just XMLHttpRequest. This would also affect <img crossorigin>, etc. If you want to introduce a new security model, you have to think it through, and not patch APIs here and there.
I agree with @annevk and outlined a similar argument on the list.
Summary of the discussion in the mailing-list: http://www.w3.org/wiki/System_Applications_WG:_Cross_Origin_XHR