W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] security issue with XMLHttpRequest API compatibility

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 08 Oct 2009 18:05:52 +0200
To: "Mark S. Miller" <erights@google.com>
Cc: "Arthur Barstow" <art.barstow@nokia.com>, "Thomas Roessler" <tlr@w3.org>, "Tyler Close" <tyler.close@gmail.com>, "Jonas Sicking" <jonas@sicking.cc>, public-webapps <public-webapps@w3.org>
Message-ID: <op.u1hob0bm64w2qv@anne-van-kesterens-macbook.local>
On Thu, 08 Oct 2009 17:59:56 +0200, Mark S. Miller <erights@google.com>  
> This is my first TPAC. How does one put something on the agenda?

I added it here for you as I suppose you do not have a wiki account:


>> Otherwise I suggest we consider this resolved
>> considering that implementations are shipping.
> I don't understand this argument seeing as how implementations of XDR
> are already shipping too.

My assumption is that sites use conditionals to target one or the other  
and would break if one or the other would no longer work. Maybe it's not  
too late yet though, dunno.

>> I personally think keeping the API the way it is now is nicer and the
>> security issue seems highly theoretical.
> As with much of the rest of CORS, newly created vulnerabilities seem
> theoretical until they are deployed an attacked. By the time they do
> not seem theoretical, it is too late to do better than patch around
> problems that should not have been introduced. We've been over this
> before.


Anne van Kesteren
Received on Thursday, 8 October 2009 16:06:37 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:20 UTC