W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Request for Review: Cross-Origin Resource Sharing

From: Jon Ferraiolo <jferrai@us.ibm.com>
Date: Fri, 3 Apr 2009 16:53:46 -0700
To: Doug Schepers <schepers@w3.org>
Cc: "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <OF51919C97.9C5C038F-ON8825758D.0082C8CB-8825758D.008343E7@us.ibm.com>

Hi Doug,
OpenAjax Alliance is highly interested in the security aspects of the CORS
spec, but AFAIK, there isn't anyone doing careful monitoring of spec
changes or email list discussion. Sounds like it is time for me to solicit
input from our security committee on the most recent spec.


             Doug Schepers                                                 
             Sent by:                                                   To 
             public-webapps-re         ietf-http-wg@w3.org,                
             quest@w3.org              "public-webapps@w3.org"             
             04/03/2009 04:12                                              
             PM                                                    Subject 
                                       Request for Review: Cross-Origin    
                                       Resource Sharing                    


The W3C Web Applications WG is actively seeking review for the
Cross-Origin Resource Sharing (CORS) specification [1] from parties
interested in Web security.  This specification currently depends upon
the proposed Origin header, which started within the CORS specification
but has been split out as an IETF draft, The HTTP Origin Header [2].

It should be noted that the Origin header has received some criticism,
and the WebApps WG is discussing whether it may be sufficient for use
with the use cases covered by CORS.  The CORS specification is currently
being implemented by major browsers, including at least Internet
Explorer 8, beta versions of Firefox 3.5, and beta versions of Safari 4.
  Therefore, it is of particular importance and urgency that we receive
formal review of CORS.

A previous request for review [1] (when this specification was known as
"Access Control for Cross-Site Requests") did not result in sufficient
technical response during the last year and a half.  It is difficult for
the WebApps WG to determine if this was due to lack of interest, lack of
perceived problems, or belief that review of the Origin header draft was

Explicit review will help us assess how to move forward with this work
in a way that is mindful of Web security architecture.  We would
appreciate this call for review being forwarded to any lists or people
that should be aware of it.

[1] http://www.w3.org/TR/cors/
[2] http://tools.ietf.org/html/draft-abarth-origin-00
[3] http://lists.w3.org/Archives/Public/ietf-http-wg/2007OctDec/0298.html

Best Regards-
-Doug Schepers
W3C Team Contact, SVG and WebApps WGs

(image/gif attachment: graycol.gif)

(image/gif attachment: pic09860.gif)

(image/gif attachment: ecblank.gif)

Received on Saturday, 4 April 2009 00:07:07 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 13:55:25 UTC