Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

On Thu, Dec 17, 2009 at 12:58 PM, Ian Hickson <ian@hixie.ch> wrote:

> With CORS, I can trivially (one line in the .htaccess file for my site)
> make sure that no sites can use XBL files from my site other than my
> sites. My sites don't do any per-user tracking; doing that would involve
> orders of magnitude more complexity.
>

I was debating about one particular use case, and this one that you're
talking about now is completely different.  I can propose a different
solution for this case, but I think someone will just change the use case
again to make my new solution look silly, and we'll go in circles.


> How can an origin voluntarily identify itself in an unspoofable fashion?
> Without running scripts?
>

It can't.  My point was that for simple non-security-related statistics
gathering, spoofing is not a big concern.  People can spoof browser UA
strings but we still gather statistics on them.


> I have no problem with offering a feature like UM in CORS. My objection is
> to making the simple cases non-trivial, e.g. by never including Origin
> headers in any requests.
>

Personally I'm not actually arguing against standardizing CORS.  What I'm
arguing is that UM is the natural solution for software designed in an
object-oriented, loosely-coupled way.  I'm also arguing that loosely-coupled
object-oriented systems are more powerful and better for users.

Received on Friday, 18 December 2009 00:50:27 UTC