Re: [cors] TAG request concerning CORS & Next Step(s)

Arthur Barstow wrote:
> Members of the Web Apps WG,
>
> Below is an email from Henry Thompson (forwarded with his permission), 
> on behalf of the TAG [1], re the CORS spec [2].
>
> Two things:
>
> 1. Please respond to at least this part of Henry's mail:
>
> [[
> It appeared to us that a number of significant criticisms of the
> appropriateness of CORS have been submitted to the Working Group, from
> respected members of the Web Security community among others. These
> convinced us that there is a real possibility either that server-side
> deployment won't happen, or that even if it did the new functionality
> provided would, on the one hand, be insufficiently secure while, on the
> other, discouraging the provision of something more satisfactory.
> ]]
>
> 2. For those that have been active in defining the CORS model and/or 
> CORS implementers - particularly Adam, Anne, Jonas, Hixie, Maciej, IE 
> guys (whomever replaced Sunava) - please indicate:
>
> a) their level of interest in continuing to push the current CORS model;
I've documented what Firefox 3.5 will do here:

https://developer.mozilla.org/En/HTTP_access_control

Also see:

https://developer.mozilla.org/En/Server-Side_Access_Control

Now, note that this documentation is dated (it still uses the term 
"Access Control" which should change).  But it is a reflection of what 
will go live in Fx3.5 (Jonas has already commented on redirects on 
preflighted requests, which won't be supported).

A simple test of Fx 3.5 functionality might be:

http://arunranga.com/examples/access-control/

We continue to have discussion about the "number of significant 
criticisms."  I'm keen to see this result in tangible proposals.
>
> b) their implementation plans for CORS.
See above (and see email from Jonas Sicking).

-- A*

Received on Wednesday, 24 June 2009 18:54:17 UTC