W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 05 Nov 2009 21:59:44 -0800
Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
Message-id: <0AA568EA-5728-455E-B935-0DF374C70BC5@apple.com>
To: Tyler Close <tyler.close@gmail.com>

Hi Tyler,

On Nov 5, 2009, at 5:48 PM, Tyler Close wrote:

> Closing remark:
>
> In another thread, you've written "I do think that a way to do an
> anonymous XHR is justified", so I don't know how much sense it makes
> to continue this thread. You put so much effort into this email that I
> felt I owed you a response.

Let me make sure I understand your position and overall goal in this  
discussion. Is it:

A) An API to do anonymous XHR (such as GuestXHR) should be provided  
*AND* CORS should be abandoned (and perhaps removed from  
implementations shipping it.

OR:

B) An API to do anonymous XHR (such as GuestXHR) should be added, but  
you can live with CORS continuing to exist.


I thought your position was (A). If it is in fact (B), then perhaps we  
have all invested more energy than necessary in this debate, because I  
don't think (B) is especially controversial. But if your position is  
(A), then the statement you quoted wasn't meant to agree with that  
position (in case it wasn't clear).


That being said, I feel the input from you and Mark and the ensuing  
discussion has helped the Working Group get a better understanding of  
the security issues in this area, and I believe it will help us make a  
high-quality Security Considerations section. So if you have further  
replies in mind that would help inform the conversation, then please  
feel encouraged to send them.

Regards,
Maciej
Received on Friday, 6 November 2009 06:00:19 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT