The W3C Voice Browser, Web APIs,
and Web Application Formats (WAF) Working Groups have posted a new working
draft of Cross-Origin Resource Sharing (formerly Access Control for Cross-site Requests).
According to the draft, "This document defines a mechanism to enable client-side cross-origin
requests. Specifications that want to enable cross-origin requests in an
API they define can use the algorithms defined by this specification. If
such an API is used on http://example.org
resources, a
resource on http://hello-world.example
can opt in using the
mechanism described by this specification (e.g., specifying
Access-Control-Allow-Origin: http://example.org
as response
header), which would allow that resource to be fetched cross-origin from
http://example.org
." In other words, Bob's browser can download a JavaScript program from Alice's server. The JavaScript served from Alice's computer but running in Bob's browser can now download more data from Eve's server if Eve allows it.
I finally see how this works, but there are some major flaws here. There are several reasons cross-server requests have been banned in Java and JavaScript for the last 15 years: distributed denial of service attacks, behind-the-firewall scanning, and information distribution to 3rd parties. This approach ameliorates these problems, but does not eliminate them. Each of those possible attacks is less powerful and effective when this regime is in place, but is still possible. It also makes it dramatically easier for 3rd parties to write and install software to track user behavior across web sites. User privacy concerns do not appear to play any part in the design of this spec.