W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] TAG request concerning CORS & Next Step(s)

From: Arun Ranganathan <arun@mozilla.com>
Date: Wed, 24 Jun 2009 11:52:09 -0700
Message-ID: <4A4275D9.6040100@mozilla.com>
To: Arthur Barstow <Art.Barstow@nokia.com>, Henry Thompson <ht@inf.ed.ac.uk>, www-tag@w3.org
CC: public-webapps <public-webapps@w3.org>
Arthur Barstow wrote:
> Members of the Web Apps WG,
>
> Below is an email from Henry Thompson (forwarded with his permission), 
> on behalf of the TAG [1], re the CORS spec [2].
>
> Two things:
>
> 1. Please respond to at least this part of Henry's mail:
>
> [[
> It appeared to us that a number of significant criticisms of the
> appropriateness of CORS have been submitted to the Working Group, from
> respected members of the Web Security community among others. These
> convinced us that there is a real possibility either that server-side
> deployment won't happen, or that even if it did the new functionality
> provided would, on the one hand, be insufficiently secure while, on the
> other, discouraging the provision of something more satisfactory.
> ]]
>
> 2. For those that have been active in defining the CORS model and/or 
> CORS implementers - particularly Adam, Anne, Jonas, Hixie, Maciej, IE 
> guys (whomever replaced Sunava) - please indicate:
>
> a) their level of interest in continuing to push the current CORS model;
I've documented what Firefox 3.5 will do here:

https://developer.mozilla.org/En/HTTP_access_control

Also see:

https://developer.mozilla.org/En/Server-Side_Access_Control

Now, note that this documentation is dated (it still uses the term 
"Access Control" which should change).  But it is a reflection of what 
will go live in Fx3.5 (Jonas has already commented on redirects on 
preflighted requests, which won't be supported).

A simple test of Fx 3.5 functionality might be:

http://arunranga.com/examples/access-control/

We continue to have discussion about the "number of significant 
criticisms."  I'm keen to see this result in tangible proposals.
>
> b) their implementation plans for CORS.
See above (and see email from Jonas Sicking).

-- A*
Received on Wednesday, 24 June 2009 19:19:32 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT