XMLHTTPRequest for cross-domain requesting
Steffen Heinzl
If I see this correctly, it is at the moment possible to configure the
XMLHTTPRequest method to allow access to the same domain (default), to
all sites (by setting capability.policy.default.XMLHttpRequest.open to
allAccess), or to allow some sites to do cross-domain stuff. Wouldn't it
be a good feature to allow access only TO particular sites independent
of the site loaded at the moment, or is this already possible?
Best Regards,
Steffen
Boris Zbarsky
> If I see this correctly, it is at the moment possible to configure the
> XMLHTTPRequest method to allow access to the same domain (default), to
> all sites (by setting capability.policy.default.XMLHttpRequest.open
Note that this capability.policy thing will no longer work in Firefox 3.
-Boris
Steffen Heinzl
Thanks for the info. Will cross-domain requesting work in another way
then or will it be completely forbidden?
Steffen
Boris Zbarsky
> Thanks for the info. Will cross-domain requesting work in another way
> then or will it be completely forbidden?
A site will be able to request expanded privileges to do it, in the usual way
(if the user allows sites to request such privileges, etc).
But yes, generally it will be forbidden.
-Boris
Steffen Heinzl
I think it would make sense to allow a user to add a certain domain to a
list of domains (like in the pop up blocker) which are allowed to do
cross-domain stuff.
Furthermore, it would be really cool if the user could allow cross
domain connections TO a specific site from all sites.
If for example a site wants to retrieve data from Amazon or Google or
whatever, I believe a user is going to trust the connection TO these
sites, but not all connections FROM one domain which perhaps among
others connects to Google and Amazon.
I believe the handling of both types of cross-domain connections would
be very useful.
Steffen