[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Adam Barth
cap-talk at adambarth.com
Fri Jun 26 18:23:29 EDT 2009
On Fri, Jun 26, 2009 at 3:19 PM, Ben Laurie<benl at google.com> wrote:
> On Fri, Jun 26, 2009 at 10:29 PM, Adam Barth<cap-talk at adambarth.com> wrote:
>> Ok, but CORS trivially satisfies that requirement because the barriers
>> we are bridging only exist on the client. A frame to Google Finance
>> can already issue an XMLHttpRequest to finance.google.com.
>
> I don't understand. A frame to Google Finance is running code provided
> by Google Finance. This does not seem like a parallel.
Well, if the user modified their browser, they might be running
EvilAcme code in that frame and then EvilAcme could do everything CORS
lets them do and more.
Adam
More information about the cap-talk
mailing list