W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

Re: comments on Cross-Origin Resource Sharing (CORS) of 3-Apr-2012 (was: hey hey)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 11 Jun 2012 14:41:21 +0200
Message-ID: <CADnb78in+tPBYupV=OJAoFxkCvFTb9EeDyDUfmSgcwmjz_7sVA@mail.gmail.com>
To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
Cc: W3C Web App Security WG <public-webappsec@w3.org>
On Wed, Jun 6, 2012 at 1:08 AM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote:
> Brad's incorporation of my comments into CORS sec considerations is largely
> fine by me. I've attached a further-redlined version (both .docx and .pdf)
> of the redlined .pdf he had sent to the list with some modest mods.

1) Doing this as PDF/Word documents makes it extremely painful to integrate.

2) I'm not sure the new text is actually better. E.g. it contains the
phrase "This specification defines how to authorize an instance of an
application from a foreign origin, executing in the user agent, to
access the representation of the resource in an HTTP response." Origin
is a user-agent centric concept. Turning it around seems unwise and is
inconsistent with the rest of the specification and any other
specification on the subject.

It's also not clear to me we need to reiterate what
http://tools.ietf.org/html/rfc6454 already explains. That only
increases the room for error.


-- 
Anne — Opera Software
http://annevankesteren.nl/
http://www.opera.com/
Received on Monday, 11 June 2012 12:41:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 11 June 2012 12:41:51 GMT