Re: CORS from Mike Samuel on 2017-10-12 (public-webapps@w3.org from October to December 2017)

From: Mike Samuel <mikesamuel@gmail.com>
Date: Thu, 12 Oct 2017 15:43:05 -0400
To: "Jack (Zhan, Hua Ping)" <jackiszhp@gmail.com>
Cc: tink@tink.uk, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <CACod6GsM1T=rxBgP5xqXJF1st9URGfCiAU6QLVGWKEsFB9KN3w@mail.gmail.com>

On Thu, Oct 12, 2017 at 3:03 PM, Jack (Zhan, Hua Ping)
<jackiszhp@gmail.com> wrote:
>> Chaals already posted a reminder about politeness and acceptable behaviour
>> [1]. The Web Platform chairs prefer not to remove people from public-webapps
>> unless it's necessary, but we will if we have to.
>>
>> Words like "stupid", and phrases like "incompetant professional", are not
>> acceptable when referring to other people. Please be respectful, even if you
>> disagree with someone's technical position.
>>
>> Léonie, on behalf of the WebPlat co-chairs
>> [1] https://lists.w3.org/Archives/Public/public-webapps/2017OctDec/0022.html
> You are telling me people are very weak, can be hurt very easily.
> I am sorry since I am from low society so I did not pay much attention
> to the words.
> Let's focus on the issue itself.
>
> If anyone think the approach I proposed is stupid, I am expecting
> she/he can tell me straight forward:
> what you proposed is stupid because of #1...., #2......
> And I will appreciate the feedback to the point. I would not get hurt
> since I do not assign much value or power to those words.

#1 To quote Travis, "A self-granting permission model just isn't
secure--the permission grant must come from the resource being
requested."

#2 Most distributed systems use both public and non-public APIs.  The
public APIs are carefully vetted, but the non-public APIs often make
assumptions about their inputs because those inputs come from a
smaller, more tightly controlled set of endpoints.

CORS isn't for public APIs.  CORS makes it easier for components of a
distributed system to collaborate via non-public APIs.

When you suggest adding your site to bank.com's list, you are
effectively saying "I should have access to non-public APIs because I
am an integral part of that distributed system and the implementation
of those non-public APIs took my service into account."  That is
simply not true.

If you dislike the fact that bank.com's public APIs don't suffice, ask
them to extend their public APIs.

If you notice that bank.com has a non-public API that does what you
want but is CORS restricted, you're out of luck.  Even if CORS
changed, the API is not public and they may change or remove it at any
time.

Received on Thursday, 12 October 2017 19:43:31 UTC