Handle Cross Origin XHR for Packaged Applications

sysapps / runtime

Runtime and Security Model for Hosted Web Applications and Packaged Applications

6 stars 13 forks source link

Handle Cross Origin XHR for Packaged Applications #22

Open mounirlamouri opened 11 years ago

mounirlamouri commented 11 years ago

Summary of the discussion in the mailing-list: http://www.w3.org/wiki/System_Applications_WG:_Cross_Origin_XHR

marcoscaceres commented 11 years ago

Nice summary. I'm for not changing default behaviour of XHR, but allowing faking the origin on privileged applications. I described a potential solution here:

http://lists.w3.org/Archives/Public/public-sysapps/2013Mar/0183.html

mounirlamouri commented 11 years ago

Just to make sure credit is given, the summary has been made by John Lyle, not me.

I think I would prefer a solution along the lines of the one you proposed which is very close to what @sicking proposed too.

marcoscaceres commented 11 years ago

I wonder if we should discuss implications with @annevk also? As Editor of both XHR and CORS, he probably has some helpful views on this.

annevk commented 11 years ago

This does not affect just XMLHttpRequest. This would also affect <img crossorigin>, etc. If you want to introduce a new security model, you have to think it through, and not patch APIs here and there.

marcoscaceres commented 11 years ago

I agree with @annevk and outlined a similar argument on the list.