W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [cors] Unrestricted access

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 13 Jul 2010 08:12:03 -0700
Message-ID: <AANLkTilJ7WHN8PrjiTOBxvFFuWHNx5CzoJ9XVST6vv_L@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: public-webapps@w3.org, Jaka Jančar <jaka@kubje.org>
On Tue, Jul 13, 2010 at 3:47 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Tue, 13 Jul 2010 12:35:02 +0200, Jaka Jančar <jaka@kubje.org> wrote:
>>
>> What I'd like is a global (per-host) way to disable these limitations all
>> at once, giving XHR unrestricted access to the host, just like native apps
>> have it.
>
> It used to be a mostly "global" per-resource switch, but the security folks
> at Mozilla thought that was too dangerous and we decided to go with the
> granular approach they proposed. This happened during a meeting in the
> summer of 2008 at Microsoft. I do not believe anything has changed meanwhile
> so this will probably not happen.

This does not match my recollection of our requirements. The most
important requirements that we had was that it was possible to opt in
on a very granular basis, and that it was possible to opt in without
getting cookies. Also note that the latter wasn't possible before we
requested it and so this users requirements would not have been
fulfilled if it wasn't for the changes we requested.

Anyhow if we want to reopen discussions about syntax for the various
headers that cors uses, for example to allow '*' as value, then I'm ok
with that. Though personally I'd prefer to just ship this thing as
it's a long time coming.

/ Jonas
Received on Tuesday, 13 July 2010 15:12:56 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:39 GMT