"Henry S. Thompson" <ht@inf.ed.ac.uk>, 2009-06-24 18:22 +0100: > Jonas Sicking writes: > > > As Anne pointed out, others have also deployed partial support. In > > fact, relatively speaking, CORS has seen an extraordinary amount of > > browser deployment already. > > One point of clarification: my (admittedly imperfect) understanding > was that the most important parts of CORS have to be implemented > _server_-side for the proposal to achieve its goals. If that's true, > browser deployment alone is insufficient. Is that a misunderstanding > on my part? It's not true. The spec was explicitly designed with a goal of minimizing any server-side changes that would need to be made to enable it. Some of the relevant requirements: - Must be deployable to IIS and Apache without requiring actions by the server administrator in a configuration where the user can upload static files, run serverside scripts (such as PHP, ASP, and CGI), control headers, and control authorization, but only do this for URLs under a given set of subdirectories on the server. - Must be able to deploy support for cross-origin GET requests without having to use server-side scripting (such as PHP, ASP, or CGI) on IIS and Apache. - Must not require that the server filters the entity body of the resource in order to deny cross-origin access to all resources on the server. -- Michael(tm) Smith http://people.w3.org/mike/Received on Wednesday, 24 June 2009 18:00:46 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:11 GMT