- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 23 Oct 2009 22:00:56 -0700
- To: Doug Schepers <schepers@w3.org>
- Cc: Jonathan Rees <jar@creativecommons.org>, Maciej Stachowiak <mjs@apple.com>, "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
On Fri, Oct 23, 2009 at 5:29 PM, Doug Schepers <schepers@w3.org> wrote: > That's an interesting point... if the proponents or opponents of CORS did > more testing and modeling, would that satisfy concerns? Surely it couldn't > be hard to set up a few common model architectures using CORS and announce > them as targets for the white hat community? > > Mind you, I'm not stating one way or the other that this should be part of > the exit criteria for CORS, just that it would be helpful overall, and > frankly, if it hasn't been tried, I'm a little surprised... isn't this > *exactly* the sort of thing Google, MS, the browser vendors, and the > security community at large have the resources and expertise to do, as well > as the incentive? Can a brother get a honeypot? This issues that Mark and co raise are not really the kinds of things one can evaluate with a honeypot-type contest. They're worried about what web developers will build if we give them CORS as a tool. Adam
Received on Saturday, 24 October 2009 05:01:49 UTC