W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] Review

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 22 Jun 2009 17:10:27 -0700
Message-ID: <5691356f0906221710i45516172s1835dd423288f3a0@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Mon, Jun 22, 2009 at 4:27 PM, Ian Hickson<ian@hixie.ch> wrote:
> The only people who really get to
> decide here are the browser vendors. For better or worse, they seem to
> have decided to go with what CORS says today. If anyone wants to change
> that, it is the implementors they need to convince.

>From what I've read, XDomainRequest can be viewed as a subset
implementation of either CORS, or my simpler proposal. Actually, it
seems to be closer to a subset of my proposal, since the documentation
seems to suggest that credentials are not sent to any site, including
the same origin. Perhaps a staged deployment like this will work best
anyways, since I suspect XDomainRequest will uncover any actual
problems with reliance on connectivity, or client IP address, for
authentication.

Hopefully browser implementers have been monitoring this discussion
and have found it informative and useful. I'm happy to discuss further
with them.

> Sure, this forces us into designs that suck and generally are suboptimal.

If they suck enough, they won't be used widely and so just create
additional attack surface area, without providing useful
functionality. I suspect the extra round-trips in CORS will cause many
developers to simply avoid using that part of CORS; especially since
it's not supported under IE.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Tuesday, 23 June 2009 00:11:08 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT