W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Devdatta <dev.akhawe@gmail.com>
Date: Thu, 5 Nov 2009 18:04:49 -0800
Message-ID: <ecf35a1b0911051804q186c60ax1d26ab9fca27d9c7@mail.gmail.com>
To: public-webapps <public-webapps@w3.org>
Hi Maciej,

>
> Read <from>
>   If the <from> resource is owned by the domain specified by Origin, return
> the data.
>
.....
> CrossDomainCopy <from-domain> <from-resource> <read-token> <to-domain>
> <to-resource> <write-token>

I don't understand the aim of the whole protocol you have outlined above.

Are you saying CORS should be rewritten to directly support such a design ?

or Is this a design pattern you are recommending (for use with CORS) ?

If the latter, do you honestly expect web developers to read and
understand all that ?

Or have I missed the point completely ?

Cheers
Devdatta
Received on Friday, 6 November 2009 02:09:09 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT