- Oct 14, 2007--- In email@example.com, "Michael Schwarz" <michael.schwarz@...>
> Some other questions while implementing a client plugin:Can you tell us which platform you are developing a client plugin for?
> Why only send the domain, doesn't the complete Uri makes sence?The browser's security policy isn't granular enough to separate URIs
into separate security contexts, so it would be easy for a site to
spoof any URI within the page's a given domain by injecting script
tags into other pages. Also, in Firefox (for example) there are many
scenarios where a page has URI that does not specify a domain
according to the browser.
To make this header match the browser's security policy, it would be
possible to set a header of the form scheme://domain:port (with no
path included), but I'm not sure whether this is necessary.
- << Previous post in topic Next post in topic >>