[webkit-dev] Allowing webkit clients to extend XHR security policy

Aaron Boodman aa at chromium.org
Fri Apr 10 10:23:44 PDT 2009


On Thu, Apr 9, 2009 at 9:50 PM, David Levin <levin at google.com> wrote:
>
> On Thu, Apr 9, 2009 at 9:03 PM, Alexey Proskuryakov <ap at webkit.org> wrote:
>>
>> On 09.04.2009, at 22:38, Aaron Boodman wrote:
>>
>>> The local scheme feature is actually more powerful than just XHR
>>
>> If you only need extensions to do XHR, why not just make them use
>> cross-origin XHR? That way, the extension won't even need to declare the
>> origins it's going to access - all checks will be server-side, as with
>> normal cross-origin XHR.
>
> I think the idea is that a user could install an extension and the user
> could trust the extension to do the cross-origin xhr (without the server for
> the x-origin doing anything special).
> For example, I used to have the book burro FF extension
> (http://www.bookburro.org/) which displayed prices for books from several
> book stores when you visit another online book store.

Exactly. Sorry for not making this clear in the original mail.

- a


More information about the webkit-dev mailing list