W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 16 Dec 2009 23:36:38 -0800
Cc: Ian Hickson <ian@hixie.ch>, Kenton Varda <kenton@google.com>, public-webapps <public-webapps@w3.org>
Message-id: <82BD94B6-AB4A-43F0-A720-58D48E7AA1D4@apple.com>
To: Devdatta <dev.akhawe@gmail.com>

On Dec 16, 2009, at 11:30 PM, Devdatta wrote:

> hmm.. just a XDR GET on the file at hixie.ch which allows access only
> if the request is from damowmow.com ?
>
> I am not sure -- is there anything special about XBL bindings which
> would result in this not working ?

If I recall correctly, XDR sends an Origin header, so it would work  
for this kind of use case so long as the resource is not per-user. XDR  
essentially uses a profile of CORS with the credentials flag always  
off. UM is different - it would not send an Origin header. So it would  
be more difficult to apply it to Hixie's problem.

Regards,
Maciej



> Cheers
> devdatta
>
> 2009/12/16 Ian Hickson <ian@hixie.ch>:
>> On Wed, 16 Dec 2009, Devdatta wrote:
>>>>
>>>> Another example would be an XBL binding file on hixie.ch that is
>>>> accessible only to pages on damowmow.com. With CORS I can do this  
>>>> with one
>>>> line in my .htaccess file. I don't see how to do it at all with UM.
>>>
>>> Seems to me that these examples can just as easily be done with IE's
>>> XDomainRequest.
>>
>> How?
>>
>> --
>> Ian Hickson               U+1047E                ) 
>> \._.,--....,'``.    fL
>> http://ln.hixie.ch/       U+263A                /,   _.. \   _ 
>> \  ;`._ ,.
>> Things that are impossible just take longer.   `._.-(,_..'-- 
>> (,_..'`-.;.'
>>
>
Received on Thursday, 17 December 2009 07:37:12 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT