W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] Review

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 22 Jun 2009 12:33:33 -0700
Message-ID: <7789133a0906221233k31335946naf090bc1cd251b96@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Mon, Jun 22, 2009 at 11:30 AM, Tyler Close<tyler.close@gmail.com> wrote:
> It appears to me that almost all
> the complexity of CORS comes from its attempt to protect resources
> that rely solely on IP-based authentication.

I'm not sure this is the case.  I think the reasoning goes like this:

1) We can't strip all the credential information from cross-origin requests.
2) There's a large amount of value is supporting all the normal
credentials associated with HTTP requests.
3) Given (1), we have to deal with the credential issue.  Given (2),
we get a large benefit from from supporting all kinds of credentials.
4) Given (3), some folks have made a judgement call that value of
supporting credentials is worth the complexity.

> So let's take a look at the ACM digital library case. Is there some
> document that describes its use of IP-based authentication? Does the
> resource use this protection to authenticate POST requests, or just
> GET requests?

I'm not familiar with exactly how it works, but the basic idea is as follows:

1) Universities (and other folks) pay money to ACM digital library to
give their networks access to the library.
2) When I visit the library from the university network, I can
download papers, etc.
3) When I visit the library from home, I browse the index, but I can't
download the papers.

I seem to recall that the amount the university pays is somehow
related to how much they use the library, but I don't know what the
mechanism is for this or whether UC Berkeley buys an all-you-can-eat
subscription.

Adam
Received on Monday, 22 June 2009 19:34:31 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT