W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] Review

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 17 Jun 2009 23:19:36 +0000 (UTC)
To: Tyler Close <tyler.close@gmail.com>
Cc: Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
Message-ID: <Pine.LNX.4.62.0906172306130.16244@hixie.dreamhostps.com>
On Wed, 17 Jun 2009, Tyler Close wrote:
> >
> > I believe we have such services at Google, though for obvious reasons 
> > I wouldn't want to elaborate on that.
> 
> Wow, if you could just confirm their existence, that would do fine. So 
> this resource acts on PUT or DELETE, or POST of a Content-Type other 
> than "application/x-www-form-urlencoded" or "text/plain"? And it checks 
> the Content-Type header? And it doesn't require any user credentials at 
> all? Connectivity is good enough.

What you describe here seems to differ from what you described previously. 
I don't feel comfortable talking about our internal services, though, so 
I'd rather not elaborate.


> Is there any way a browser could tell a request is being sent to a 
> server behind your firewall, and not a server on the open Internet?

No.


> > Is this the propoal to which you refer?:
> >
> > http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/1011.html
> 
> Yes.

This seems to fail for cases that aren't even Intranet cases. Consider for 
instance a publicly accessible SOAP service that does authentication on an 
IP address basis only, and relies on checking the Content-Type header to 
make sure forms can't submit to it.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 17 June 2009 23:20:09 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT