W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2012

Re: [CORS] Applying preflight cache to an entire domain?

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 18 Apr 2012 18:50:01 +0200
To: "Monsur Hossain" <monsur@gmail.com>
Cc: public-webapps@w3.org
Message-ID: <op.wcyzpnrz64w2qv@annevk-macbookpro.local>
On Wed, 18 Apr 2012 18:34:42 +0200, Monsur Hossain <monsur@gmail.com>  
wrote:
> Ah thank you! I agree that url canonicalization is a difficult issue to
> solve. FWIW, I was envisioning something much simpler. The CORS spec  
> makes
> it clear that cache lookup should be done by origin and request url. So
> instead of specifying a url to this Access-Control-Policy-Path header, it
> would be just one of three values:
>
>    - "url" - (default behavior) Cache lookup is done by origin and  
> request
>    url, as the spec indicates now
>    - "origin" - Cache lookup is done by origin only. Preflight response
>    applies to any request from this origin.
>    - "any" - Cache lookup applies to *any* origin making requests to the
>    domain.
>
> This would fit in with the current preflight caching model while still
> allowing some flexibility to servers implementing CORS.

The reason why we wanted it scoped was because people had concerns about  
giving any URL on a server control over which other resources would end up  
being shared. The scenarios typically involved large organizations with  
many different teams operating on a single origin. If one of those teams  
thinks sharing with everyone is fine, the rest can be comprised. And such  
a mistake is rather easy to make.

Another general concern that has been frequently raised and why the  
specification has so many flags for enabling additional features such as  
headers and methods, is that people easily shoot themselves in the foot.  
Your proposal makes it rather easy for them to shoot themselves in the  
foot.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Wednesday, 18 April 2012 16:50:38 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:51 GMT