W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: UMP / CORS: Implementor Interest

From: Nathan <nathan@webr3.org>
Date: Thu, 13 May 2010 03:07:30 +0100
Message-ID: <4BEB5EE2.6000700@webr3.org>
To: Ian Hickson <ian@hixie.ch>
CC: Tyler Close <tyler.close@gmail.com>, Dirk Pranke <dpranke@chromium.org>, public-webapps <public-webapps@w3.org>
Ian Hickson wrote:
> On Wed, 12 May 2010, Tyler Close wrote:
>> We've gone through several scenarios on this list where this validation 
>> is not feasible. On the chromium list, I recently explained how it is 
>> not possible to implement a generic AtomPub client that does this 
>> validation:
>>
>> http://groups.google.com/a/chromium.org/group/chromium-dev/msg/afda9a4d1d1a4fcb
> 
> I don't think using AtomPub is necessarily a good idea. AtomPub was not 
> designed for use with CORS. If you're going to use technologies 
> inappropriately then sure, you'll have security problems.

but you can't use any RESTful with CORS because it strips Location, 
Content-Location etc

Perfectly secure to have /admin/ accessing /data/ or HTTP through to 
HTTPS for POST etc

I agree CORS is needed, but the imho the UMP headers [1] really needed 
added (if not just the Uniform-Headers

[1] http://dev.w3.org/2006/waf/UMP/#response-header-filtering

Best,

Nathan
Received on Thursday, 13 May 2010 02:09:00 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT