I have a few questions for the new draft:
http://www.w3.org/TR/2007/WD-access-control-20071001/
Is this really required? I can achieve the same with
a) Dynamic script tags (JSON requests) as long I am am
comfortable with GET
b) PROXY governance
c) CNAMEs as a way to bypass the domain restrictions
Other issues:
a) No only does the browser have to allow this, but
XMLRequest does as well.
b) What about <a href="http://json.C
om">JSON</a> responses? XML is
great, but let us not fall into the "Not invented
here" trap
I am NOT saying that this is not a good idea. It is just
that if I
have access to the web server to add a header, then I
probably will be
able to solve this problem today.
I actually need this for my JSON requests. As it stands
now, I can do
cross-domain without really looking at security. Might
there be a way
to emulate this using script now?
|