W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] security issue with XMLHttpRequest API compatibility

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 08 Oct 2009 16:55:59 +0200
To: "Arthur Barstow" <art.barstow@nokia.com>, "Thomas Roessler" <tlr@w3.org>, "Tyler Close" <tyler.close@gmail.com>, "Jonas Sicking" <jonas@sicking.cc>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <op.u1hk3lct64w2qv@annevk-t60>
On Tue, 14 Apr 2009 14:34:11 +0200, Arthur Barstow <art.barstow@nokia.com>  
> On Apr 14, 2009, at 6:33 AM, ext Thomas Roessler wrote:
>> So, to pick up on this discussion again -- I don't think we've had a
>> useful conclusion whether or not the client-side JavaScript code ought
>> to explicitly enable cross-site requests (as Tyler suggests, and as IE
>> implements in XDR) or not.
>> All things considered, any thoughts?
> I tend to think that when adding new semantics, it generally makes sense  
> to add new syntax to support those semantics and in this case that it  
> would be better to err on the side of caution even if the mechanism  
> chosen isn't particularly friendly to the app developer.
> Yes, it would be good to get others thoughts on this, particularly those  
> that have implemented CORS.

If you still feel this way I suggest you put it on the agenda for TPAC so  
we can briefly discuss it there. Otherwise I suggest we consider this  
resolved considering that implementations are shipping.

I personally think keeping the API the way it is now is nicer and the  
security issue seems highly theoretical.

Anne van Kesteren
Received on Thursday, 8 October 2009 14:56:44 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:20 UTC