[webkit-dev] Allowing webkit clients to extend XHR security policy

David Levin levin at google.com
Thu Apr 9 21:50:00 PDT 2009


On Thu, Apr 9, 2009 at 9:03 PM, Alexey Proskuryakov <ap at webkit.org> wrote:

>
> On 09.04.2009, at 22:38, Aaron Boodman wrote:
>
>  The local scheme feature is actually more powerful than just XHR
>>
>
>
> If you only need extensions to do XHR, why not just make them use
> cross-origin XHR? That way, the extension won't even need to declare the
> origins it's going to access - all checks will be server-side, as with
> normal cross-origin XHR.


I think the idea is that a user could install an extension and the user
could trust the extension to do the cross-origin xhr (without the server for
the x-origin doing anything special).

For example, I used to have the book burro FF extension (
http://www.bookburro.org/) which displayed prices for books from several
book stores when you visit another online book store.

Dave



>
> - WBR, Alexey Proskuryakov
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20090409/479a6ca3/attachment.html>


More information about the webkit-dev mailing list