- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Thu, 15 May 2008 17:22:23 +0200
- To: Jon Ferraiolo <jferrai@us.ibm.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
* Jon Ferraiolo wrote: >[...] It seems your confusion and your misplaced comments are the result of your overly narrow focus on a small subset of the problem space "AC" is supposed to address, and on making sites and services available to third parties, rather than inadvertently exposing them. You regularily reinforce your own confusion by using misleading terminology. E.g.: >XDR has a similar approach where the server must opt-in by checking for >XDomainRequest: 1 header in the request and returning >XDomainRequestAllowed: 1 in the response. Here you use "opt-in" without further qualification. Consider you re- ceive a spam mail offering you the choice to receive additional spam mail. The spammer might then also say people must opt-in by clicking some link or whatever, but he would only tell half the story, since you never opted into receiving any mail from him in the first place. If you would escape the narrow little subset of features offered by XDR and JSONRequest for a little while, it would be much easier for you to see that the spammer, or in our case, the browser, can't just send out the initial message hoping the server welcomes it, an opt- in is required. To put it this way: some people are trying to design a vehicle that takes them from Iceland to Australia, and you tell them people should only ride bicycles out of environmental considerations. There won't be any agreement between you and those people until you stop talking about bicycles, and start talking about whether to make the trip at all. >I'm not sure what you are asking. Are you saying that we can't require >existing servers to make changes in order to support cross-site requests? Consider you reached a compromise and built a bicycle-powered ship. Jonas' perspective is this: "Oh my god, an iceberg! We must change course or we will all perish!" Your perspective is this: "Hey look, an iceberg with cute little penguins! We must change course to observe them more closely!" Superficially eiher problem requires a course correction, but hidden under the surface is a big difference. It may well be that for architectural or practical reasons you think that the wrong problem is being solved here, that there should never be cross site requests with non-trivial methods, with automatic state management, standard authentication facilities and broad control over headers and data formats, but running around screaming how the server should have more pep and how you don't understand what everyone else is talking about is not a good way to convey that. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Thursday, 15 May 2008 15:23:09 UTC