On Tue, Jan 12, 2010 at 09:24:14AM +0000, Mark Robson wrote:
> As any site serious about scaling will be serving static files mostly off
> separate virtual hosts anyway (usually with its own top level domain,
> example yimg.com used by yahoo)
Ugh, a horrible practice brought on by the idiotic confusion brought about
by javascript and flash objects trying to imply trust relationships between
subdomains that just aren't there.
At least I understand now that that's why people do this, having read a
recent review of the recent file extension flash execution fun and games,
but that doesn't make it any palatable.
This bogus trust relationship business doesn't end there. For
example, one SSL certificate supplier I recently dealt, based on
discussions with them, would have been quite happy for me to deal with SSL
certificates for foo.ox.ac.uk because I had some association with
bar.ox.ac.uk.
Just to make it explict, please don't ever imply *any* trust relationship
between subdomains (which for a start would require building in some
special knowledge of second-level domains - ugh) when implementing with
cross-site scripting features...
</rant>
--
Dominic Hargreaves |
http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
(text/plain)