W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] TAG request concerning CORS & Next Step(s)

From: Michael(tm) Smith <mike@w3.org>
Date: Thu, 25 Jun 2009 03:00:25 +0900
To: "Henry S. Thompson" <ht@inf.ed.ac.uk>
Cc: Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
Message-ID: <20090624180022.GA7324@sideshowbarker>
"Henry S. Thompson" <ht@inf.ed.ac.uk>, 2009-06-24 18:22 +0100:

> Jonas Sicking writes:
> > As Anne pointed out, others have also deployed partial support. In
> > fact, relatively speaking, CORS has seen an extraordinary amount of
> > browser deployment already.
> One point of clarification: my (admittedly imperfect) understanding
> was that the most important parts of CORS have to be implemented
> _server_-side for the proposal to achieve its goals.  If that's true,
> browser deployment alone is insufficient.  Is that a misunderstanding
> on my part?

It's not true.

The spec was explicitly designed with a goal of minimizing any
server-side changes that would need to be made to enable it.

Some of the relevant requirements:

  - Must be deployable to IIS and Apache without requiring actions
    by the server administrator in a configuration where the user
    can upload static files, run serverside scripts (such as PHP,
    ASP, and CGI), control headers, and control authorization, but
    only do this for URLs under a given set of subdirectories on
    the server.

  - Must be able to deploy support for cross-origin GET requests
    without having to use server-side scripting (such as PHP, ASP,
    or CGI) on IIS and Apache.

  - Must not require that the server filters the entity body of
    the resource in order to deny cross-origin access to all
    resources on the server.

Michael(tm) Smith
Received on Wednesday, 24 June 2009 18:00:46 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:16 UTC