Confirm
716
edits
Changes
→Details
There is currently no finished spec for how this should work. The latest draft spec is available here [http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012].
It relies on the access-control spec (which also is still in draft) for the signaling as to when a document is accessible and when it's not. [http://lists.w3.org/Archives/Public/public-appformats/2006Oct/att-0001/AC-2006-10-02-Porter.html]
== Security worries ==
* The first thing that worries me is that you can make POST submissions to any url and include XML data as payload. It is already possible to make POST submissions to any url, but the only possible payload is plain/text encoded form data or multipart/mixed encoded files and form data. With Cross-Site XMLHttpRequest it would be possible to send XML data. In particular there is worry that this would make it possible to do SOAP requests to any server. Note that while the page would be unable to access the data returned by the SOAP request, that isn't necessary if the request itself is "transfer all users money to account 12345-67"
