W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

From: Kenton Varda <kenton@google.com>
Date: Thu, 17 Dec 2009 16:49:10 -0800
Message-ID: <4112ecad0912171649j243aff2bgf58ca9a18adeac1c@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: public-webapps <public-webapps@w3.org>
On Thu, Dec 17, 2009 at 12:58 PM, Ian Hickson <ian@hixie.ch> wrote:

> With CORS, I can trivially (one line in the .htaccess file for my site)
> make sure that no sites can use XBL files from my site other than my
> sites. My sites don't do any per-user tracking; doing that would involve
> orders of magnitude more complexity.

I was debating about one particular use case, and this one that you're
talking about now is completely different.  I can propose a different
solution for this case, but I think someone will just change the use case
again to make my new solution look silly, and we'll go in circles.

> How can an origin voluntarily identify itself in an unspoofable fashion?
> Without running scripts?

It can't.  My point was that for simple non-security-related statistics
gathering, spoofing is not a big concern.  People can spoof browser UA
strings but we still gather statistics on them.

> I have no problem with offering a feature like UM in CORS. My objection is
> to making the simple cases non-trivial, e.g. by never including Origin
> headers in any requests.

Personally I'm not actually arguing against standardizing CORS.  What I'm
arguing is that UM is the natural solution for software designed in an
object-oriented, loosely-coupled way.  I'm also arguing that loosely-coupled
object-oriented systems are more powerful and better for users.
Received on Friday, 18 December 2009 00:50:27 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:21 UTC