W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: Chromium's support for CORS and UMP

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 10 May 2010 22:45:34 -0400
Message-ID: <4BE8C4CE.5010901@mit.edu>
To: nathan@webr3.org
CC: public-webapps <public-webapps@w3.org>
On 5/10/10 10:21 PM, Nathan wrote:
> 2: Implement a user UI confirmation screen to allow JS applications xhr
> access to other origin resources. (Similar to the allow desktop
> notifications scenario in chromium)

Under what conditions would the typical user be able to make an informed 
decision here?

> 3: Standardise a way of having signed scripts that are trusted (like
> mozilla have implemented)

Mozilla is removing signed script support.  It leads to too much 
complexity, is disabled by default for users anyway, etc.

> Ideally, a long term shift towards global access unless denied by CORS
> would be an ideal solution (imo), typically corporate sys admin's will
> be a bit more up to speed when it comes implementing security features
> than joe public, and quite sure that a security bulletin + a bit of
> coverage around the web would get the information in to the right hands

You're being _way_ too optimistic about this.  "corporate sys admins" 
are still using HTML blacklists in HTML filters on a routine basis, 
after years of education attempts...

> Surely we can't be dependent on CORS indefinitely, perhaps some form of
> planned path as to how CORS might be phased out?

CORS is only needed if you want to perform actions cross-site with the 
user's credentials on the other site, right?  For that use case, I would 
in fact expect us to depend on CORS indefinitely.

-Boris
Received on Tuesday, 11 May 2010 02:46:13 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT