W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] TAG request concerning CORS & Next Step(s)

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 24 Jun 2009 17:14:19 +0200
To: "Arthur Barstow" <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>, "Henry Thompson" <ht@inf.ed.ac.uk>
Message-ID: <op.uv1a95y964w2qv@anne-van-kesterens-macbook.local>
On Wed, 24 Jun 2009 13:29:38 +0200, Arthur Barstow <Art.Barstow@nokia.com>  
wrote:
> 1. Please respond to at least this part of Henry's mail:
>
> [[
> It appeared to us that a number of significant criticisms of the
> appropriateness of CORS have been submitted to the Working Group, from
> respected members of the Web Security community among others. These
> convinced us that there is a real possibility either that server-side
> deployment won't happen, or that even if it did the new functionality
> provided would, on the one hand, be insufficiently secure while, on the
> other, discouraging the provision of something more satisfactory.
> ]]

I think the potential for security issues has been pointed out in the  
alternate proposals, not CORS itself. CORS has certainly not been found to  
be ideal, but something more satisfactory to all parties involved has not  
been proposed either. I would also classify the outstanding issues against  
CORS as minor.

Having said that, if there is something in particular you are thinking of  
it would be nice to explicitly point that out (and in case that email  
received a reply it would be good to point out why that reply did not  
address the point in question).


> 2. For those that have been active in defining the CORS model and/or  
> CORS implementers - particularly Adam, Anne, Jonas, Hixie, Maciej, IE  
> guys (whomever replaced Sunava) - please indicate:
>
> a) their level of interest in continuing to push the current CORS model;

I'm happy to continue as editor.


> b) their implementation plans for CORS.

I cannot comment on behalf of Opera on this. I can point out that Safari 4  
and Chrome 2 ship with it and that Firefox 3.5 will too. (No  
implementation will support redirects yet though, as I understand things.)  
Internet Explorer 8 supports a subset of the protocol.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Wednesday, 24 June 2009 15:15:09 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT