- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 26 Jan 2009 19:21:24 +0100
- To: "Adam Barth" <w3c@adambarth.com>, "Thomas Broyer" <t.broyer@gmail.com>
- Cc: public-html <public-html@w3.org>
On Mon, 26 Jan 2009 19:01:34 +0100, Adam Barth <w3c@adambarth.com> wrote: > Wouldn't it be better for the <script> tag to understand CORS? This > is a confidentiality issue, which is what CORS is aimed at. In the end the proper solution here is to not use <script> as API but use CORS in combination with XMLHttpRequest. For both parties it seems, to not expose data you do not want to (API developer side) and to not allow random scripts to execute in the context of your page (API user side). We cannot change the loading model of <script> itself at this point, but we can introduce better alternatives (and will) going forward. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Monday, 26 January 2009 18:22:19 UTC