W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > November 2010

[Bug 11203] Canvas security model does not allow for same-origin relaxation

From: <bugzilla@jessica.w3.org>
Date: Wed, 03 Nov 2010 22:38:11 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1PDly7-0004of-H7@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=11203

--- Comment #9 from Matt Schemmel <matt.schemmel@gmail.com> 2010-11-03 22:38:11 UTC ---
Normally I'd slightly disagree with you there, so long as A and B are part of
the same parent domain.

Definitely haven't thought through the repercussions in an EC2 age, though, so
I'll defer to those that have :)


The biggest concern that I have with the CORS approach is that it seems like it
depends on the UAs to properly set up the Origin header on the request, which I
don't believe is generally the case today. (We're really not looking to "*" out
the credentialing, though I guess that could be a workaround).

Am I reading the CORS spec right in that cookies can be passed with the
request, just that UAs are expected to disregard any modifications that come by
way of Set-Cookie in the response?

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 3 November 2010 22:38:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 3 November 2010 22:38:13 GMT