W3C home > Mailing lists > Public > www-tag@w3.org > December 2011

Re: CfC: CORS to advance to Last Call

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 21 Dec 2011 00:26:05 +0100
Cc: Thomas Roessler <tlr@w3.org>, Ashok Malhotra <ashok.malhotra@oracle.com>, "www-tag@w3.org List" <www-tag@w3.org>, Brad Hill <bhill@paypal-inc.com>, Eric Rescorla <ekr@rtfm.com>
Message-Id: <976423F7-30F3-4885-B19E-76F868BDF32F@w3.org>
To: Jonathan A Rees <rees@mumble.net>
On 2011-12-20, at 16:44 +0100, Jonathan A Rees wrote:

> If so then one could imagine that a user who came to believe
> full CORS was too risky would be given the option, in a browser
> configuration panel, to turn off full CORS while retaining the UMP
> subset. Or that a browser provider interested in protecting users
> might make the same decision categorically. (I know, it's a
> stretch...)

Copying the chairs of webappsec; not sure they're following the discussion on www-tag.

Brad, Ekr -- thread starts here:
	http://lists.w3.org/Archives/Public/www-tag/2011Dec/0091.html


I wanted to make two high-level points:

1. The choice of security policy in the browser is an important choice, but it's not just the user's.  CORS and UMP hiding behind the very same API, and applications being unable to predict which is which, is a recipe for web applications breaking in inscrutable ways.  That'll lead to a very nasty mix of functionality and security breakages.


2. Some very smart people have been arguing back and forth about CORS v. UMP for a long time now.  (But note that the current version of CORS seems to have a lot of buy-in from the industry, and I haven't seen any interest in pushing UMP forward lately...)

You don't seriously believe that exposing that choice in a browser setting even approximates something like a good idea, right?
Received on Tuesday, 20 December 2011 23:26:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:44 GMT