From MozillaWiki
Jump to: navigation, search

I don't think this (Origin and laxing Same Origin Policy for XMLHttpRequest) is a really good idea for the reasons I have listed in this little article:

You'll also find the right alternative - an 'opt-in' black/white list for web servers on cross domain requests...

Mostly, we're pushing too much onto servers. Why can't the browser determine what exceptions to Same Origin Policy will be made based on a response header containing a white/black list of URLs? Why is Origin even necessary?

Thanks for considering this, I think it is important....