Well, decades later they build this, but the question is, why use it when we have iframes and links among the html elements?
And this:
STRANGE RESTRICTION--
because of Web security rules (a complex maze),
a web page cannot request pages from elsewhere.
So we have to package
all the contents into this first program.
It's called the CORS security model. Maybe someone doesn't want pages to embed their stuff?
It is actually a pretty strange restriction, if you look at it from some distance. I remember back then, when "mashups" were all the craze, I spent a weekend writing a website that parsed another site - forgot what it was actually about - and displayed it in a nice way. It worked perfectly offline, but failed online. That was the first time I heard about the same-origin policy.
The whole web security model grew organically and unplanned. Pages have access to your state and credentials, but are blocked from accessing other domains - but only under certain circumstances (e.g. loading scripts, or sending information is OK, just not "applying" your credentials). Retrospectively, it would have been much more sensible to allow scripts to access arbitrary HTTP (or even socket) addresses, but without sending cookies and credentials along when doing so.
There is just so much awesome stuff you can't build now because of that. Server-less RSS readers, a Wikipedia "shell", legally or politically sensitive mashups/JS apps hosted on some anonymous freehoster, and so on.
I'm tempted to think that the reason for the difference is that Xanadu imagines documents as documents (without any code or code-equivalent to be executed by the browser) and not as part of a web application, and not with HTTP auth or cookies to convey authority to take or invoke actions. The web security model has grown up because of what you can actively do via a web app (authenticated actions), and then because of what web apps can do to each other (cross-site/cross-domain every-random-thing).
In an era where Javascript was rare or nonexistent and where people typically "read" web pages rather than authenticating to them, it didn't seem very dangerous to arbitrarily include resources from one page in another.
It's not clear to me to what extent Xanadu ever considered whether it wanted to be used to build interactive server-based applications with user authentication and authenticated actions, and, if so, whether it ever fleshed out a security model for that.
And imagine that any site could request any document from another site that you're logged into ... I could just steal your bank account info or anything else, by writing a LOLcats site that gives you 15GB of free storage, while silently sending targeted requests to all the banks. Your cookies would be submitted along with those requests and MY SITE would get the info.
Proxies can't send your cookies like the browser can.
No, there are good reasons for these restrictions. Servers should whitelist certain resources and sites. Now there is only this: http://xkcd.com/792/
Well, a script should be able to set of a naked HTTP request to `othersite.com` without sending along the cookies for `othersite.com`. I don't see how that would allow new vulnerabilities.
Basically, make XMLHttpRequest not use any cookies etc. when making requests to other domains.
ugh, I hear ya! I, too, built a handful of wildly-powerful active pages... I was inspired by the decks from Neuromancer... I was able to scrape pages, combine multiple pages, but it all fell apart when I ran into xss...
And this:
STRANGE RESTRICTION-- because of Web security rules (a complex maze), a web page cannot request pages from elsewhere. So we have to package all the contents into this first program.
It's called the CORS security model. Maybe someone doesn't want pages to embed their stuff?