1
edit
Changes
→Security worries
* Timeless left some comments at [http://docs.google.com/Doc?id=dhmd4jxt_27ggbhc8]
* Do NOT send custom headers or cookies when talking to external sites -- this risks exposing sensitive IDs, usernames, and passwords when talking to third party services.
* I don't see an adequate threat model described here -- what are the kinds of activities that a potential attacker might use this channel to do, and what are some ways to prevent this? For example, how will cross site XHR be used in conjunction with cross site scripting attacks?
