W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

RE: [cors] TAG request concerning CORS & Next Step(s)

From: Adrian Bateman <adrianba@microsoft.com>
Date: Wed, 24 Jun 2009 20:17:12 -0700
To: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>
CC: Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>, Henry Thompson <ht@inf.ed.ac.uk>
Message-ID: <749F45FA745A3244A87A63316D4E26B187BFAFADFD@NA-EXMSG-C108.redmond.corp.microsoft.com>
On Wednesday, June 24, 2009 6:39 PM, Mark S. Miller wrote:
> On Wed, Jun 24, 2009 at 8:14 AM, Anne van Kesteren <annevk@opera.com> wrote:
> > I cannot comment on behalf of Opera on this. I can point out that Safari 4 and Chrome 2
> > ship with it and that Firefox 3.5 will too. (No implementation will support redirects yet
> > though, as I understand things.) Internet Explorer 8 supports a subset of the protocol.
>
> IIUC, the XDR subset IE8 supports does not include identified Origin or preflight,
> and so avoids most of the problems created by full CORS. However, it still presents
> user credentials (http auth, cookies, client-side certs, referer), and so still has
> many of the same remaining ambient authority problems. Nevertheless, it remains a more
> plausible starting point than identified Origin.

IE8 strips user credentials such as cookies from XDR requests and supports only GET and POST. It does send the Origin header used for CORS and responds to Access-Control-Allow-Origin. We don't support preflight.

Adrian.
Received on Thursday, 25 June 2009 03:19:00 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT