W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2010

Re: [cors] 27 July 2010 CORS feedback

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Wed, 24 Nov 2010 04:36:51 +0100
To: Jonas Sicking <jonas@sicking.cc>
Cc: Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
Message-ID: <ot0pe6p5arsal3td3p78kjjgs2649kablm@hive.bjoern.hoehrmann.de>
* Jonas Sicking wrote:
>other person: Hmm.. we might want to disable cross-site posting for
>forms some day, so is it such a good idea that cors enables it?
>me: If we do disable it for forms we'll just disable it for cors too.
>So much content will break for forms that the cors breakage won't be
>what we're concerned about.
>other person: Yeah, true.

At the point where browser vendors actually disable cross site form
posts it won't break a lot of sites, since browser vendors are not in
the habit of making changes that break a lot of sites. At best we'd
have a vendor like Microsoft less concerned with having only one code
path for everything who'd disable them in certain modes or based on
certain headers or something like that, so they will slowly be phased
out, alongside efforts to change major sites and educating developers.

If not doing cross site posts without authorization is a goal, teaching
authors it's fine to make cross site posts without authorization
undermines that goal. It means more work for everyone to get to a point
where browser vendors would even have this discussion. What you are
saying amounts to telling authors "Hey, here is a new way to do cross
site posts; btw, if you use this, we are planning on breaking your site
and thousands of others." That's not very reasonable.
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Wednesday, 24 November 2010 03:37:25 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:28 UTC