After half a year of waiting Microsoft finally posted their feedback on Access Control for Cross-Site Requests and specifically the way XMLHttpRequest Level 2 works with that. Microsoft blogged about this event. I suggest people read this rebuttal from Jonas on the paper Microsoft published. To be clear, while the specifications are not entirely finalized nobody has so far put forward a viable attack scenario that does not already apply when these technologies are not supported by user agents.
(Related: Working group fun and “Concerns” raised about W3C Access Control spec have been little more than FUD.)
You seem to equate "viable attack scenario" with "proven exploit" (rather than with "description of potential threat that should be mitigated") in a way that would give me the willies if I relied on your software as a user.
why are you not accepting comments like IE Blog without requiring XHTML conformity and all these loop holes? Commentingin IE blog takes a minute, writing anything proper here will take awhile. You will seriously lower the bar for comments including time pressed folks like ne if you make an update here -:)
Chris, lets not compare the security track record of Opera and Internet Explorer…
sunava, helps to keep spammers away. I realize it’s not the most usable solution and maybe at some point I’ll change it when I have the time. For now it’s good enough.