XMLHTTPRequest for cross-domain requesting

11 views
Skip to first unread message

Steffen Heinzl

unread,
Apr 18, 2008, 10:43:50 AM4/18/08
to
Hi!

If I see this correctly, it is at the moment possible to configure the
XMLHTTPRequest method to allow access to the same domain (default), to
all sites (by setting capability.policy.default.XMLHttpRequest.open to
allAccess), or to allow some sites to do cross-domain stuff. Wouldn't it
be a good feature to allow access only TO particular sites independent
of the site loaded at the moment, or is this already possible?


Best Regards,
Steffen

Boris Zbarsky

unread,
Apr 19, 2008, 12:15:46 AM4/19/08
to
Steffen Heinzl wrote:
> If I see this correctly, it is at the moment possible to configure the
> XMLHTTPRequest method to allow access to the same domain (default), to
> all sites (by setting capability.policy.default.XMLHttpRequest.open

Note that this capability.policy thing will no longer work in Firefox 3.

-Boris

Steffen Heinzl

unread,
Apr 24, 2008, 4:42:38 PM4/24/08
to

Thanks for the info. Will cross-domain requesting work in another way
then or will it be completely forbidden?

Steffen

Boris Zbarsky

unread,
Apr 24, 2008, 6:32:02 PM4/24/08
to
Steffen Heinzl wrote:
> Thanks for the info. Will cross-domain requesting work in another way
> then or will it be completely forbidden?

A site will be able to request expanded privileges to do it, in the usual way
(if the user allows sites to request such privileges, etc).

But yes, generally it will be forbidden.

-Boris

Steffen Heinzl

unread,
Apr 25, 2008, 8:07:58 AM4/25/08
to

I think it would make sense to allow a user to add a certain domain to a
list of domains (like in the pop up blocker) which are allowed to do
cross-domain stuff.

Furthermore, it would be really cool if the user could allow cross
domain connections TO a specific site from all sites.

If for example a site wants to retrieve data from Amazon or Google or
whatever, I believe a user is going to trust the connection TO these
sites, but not all connections FROM one domain which perhaps among
others connects to Google and Amazon.

I believe the handling of both types of cross-domain connections would
be very useful.

Steffen

Reply all
Reply to author
Forward
0 new messages