- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 22 Dec 2009 01:31:17 +0000 (UTC)
- To: Kenton Varda <kenton@google.com>
- Cc: Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
On Mon, 21 Dec 2009, Kenton Varda wrote: > > The problem is that the security it provides in those cases simply > doesn't exist unless you can ensure that no resource on *any* of your > allowed origins can be tricked into fetching your "protected" resource > for a third party. In practice this will be nearly impossible to ensure > except in the most simple cases. The most simple cases are also the most common and are by far the cases I care the most about. The more complicated cases are authored by more competent authors, and can be more complicated (e.g. they don't have to use CORS). I am not arguing that you can't screw up the use of CORS in complicated cases (though I think you can just as easily screw up the use of UM in complicated cases, and am not at all convinced that one is in practice better than the other). I am all in favour of providing authors of complicated cases APIs that follow the characteristics of UM (e.g. not letting the user agent handle user or site identification, but requiring that sites establish protocols to do so themselves). But simple things should be simple to do. If we only give authors UM, and don't give them CORS, then we are making _everything_ complicated. That's a bad design for a platform that is to be used by as broad an authoring base as the Web's. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 22 December 2009 01:31:48 UTC