W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 18 Dec 2009 01:56:22 +0000 (UTC)
To: Kenton Varda <kenton@google.com>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0912180149530.15825@hixie.dreamhostps.com>
On Thu, 17 Dec 2009, Kenton Varda wrote:
> On Thu, Dec 17, 2009 at 12:58 PM, Ian Hickson <ian@hixie.ch> wrote:
> > 
> > With CORS, I can trivially (one line in the .htaccess file for my 
> > site) make sure that no sites can use XBL files from my site other 
> > than my sites. My sites don't do any per-user tracking; doing that 
> > would involve orders of magnitude more complexity.
>
> I was debating about one particular use case, and this one that you're 
> talking about now is completely different.  I can propose a different 
> solution for this case, but I think someone will just change the use 
> case again to make my new solution look silly, and we'll go in circles.

The advantage of CORS is that it addresses all these use cases well.


> > How can an origin voluntarily identify itself in an unspoofable 
> > fashion? Without running scripts?
> 
> It can't.

I don't understand how it can solve the problem then. If it's trivial for 
a site to spoof another, then the use case isn't solved.


> My point was that for simple non-security-related statistics gathering, 
> spoofing is not a big concern.

None of the use cases I've mentioned involve statistics gathering.


> > I have no problem with offering a feature like UM in CORS. My 
> > objection is to making the simple cases non-trivial, e.g. by never 
> > including Origin headers in any requests.
> 
> Personally I'm not actually arguing against standardizing CORS.  What 
> I'm arguing is that UM is the natural solution for software designed in 
> an object-oriented, loosely-coupled way.

CORS is a superset of UM; I have no objection to CORS-enabled APIs 
exposing the UM subset (i.e. allowing scripts to opt out of sending the 
Origin header). However, my understanding is that the UM proposal is to 
explictly not allow "Origin" to ever be sent, which is why there is a 
debate. (If the question was just "should we add a feature to CORS to 
allow Origin to not be sent, then I think the debate would have concluded 
without much argument long ago.)


> I'm also arguing that loosely-coupled object-oriented systems are more 
> powerful and better for users.

"Powerful" is not a requirement I'm looking for. "Simple" is.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 18 December 2009 01:56:50 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT