Re: [cors] TAG request concerning CORS & Next Step(s) from Jonas Sicking on 2009-06-24 (public-webapps@w3.org from April to June 2009)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 24 Jun 2009 12:23:49 -0700
To: "Henry S. Thompson" <ht@inf.ed.ac.uk>
Cc: Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
Message-ID: <63df84f0906241223q34eb7b27m1193815c3fb86068@mail.gmail.com>

On Wed, Jun 24, 2009 at 10:22 AM, Henry S. Thompson<ht@inf.ed.ac.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jonas Sicking writes:
>
>> As Anne pointed out, others have also deployed partial support. In
>> fact, relatively speaking, CORS has seen an extraordinary amount of
>> browser deployment already.
>
> One point of clarification: my (admittedly imperfect) understanding
> was that the most important parts of CORS have to be implemented
> _server_-side for the proposal to achieve its goals.  If that's true,
> browser deployment alone is insufficient.  Is that a misunderstanding
> on my part?

I'm not sure how to measure what parts are more important than others?

But both server support and browser support is needed yes. In order to
support the most simple use cases (and what we at mozilla have
perceived to be the most requested use cases) the server needs to add
one header:

Access-Control-Allow-Origin: *

to their responses. In the technologies I have looked at or used this
has always been quite simple. It is also safe to do for any server
connected to the public internet as it won't expose any more data than
can be retrived using a simple request from any HTTP client.

Generally with web technologies server support tends to lag since many
developers aren't interested in writing code that only works for part
of their user base. So basically the first step to get cross browser
support in new releases, second is to wait for old releases to loose
market share, third is when you'll start seeing wide website usage.

That said, we should of course ensure that the current spec is
something that servers are interested in deploying, once the
marketshare is there. If there are security issues they of course
won't be. So if you know of security problems (other than the one we
already know about), or have other reasons to believe that servers
aren't interested in deploying, definitely speak up as soon as
possible.

/ Jonas

Received on Wednesday, 24 June 2009 19:24:49 UTC