W3C home > Mailing lists > Public > www-tag@w3.org > September 2012

Re: ACTION-695: Check with Thomas Roessler on whether security review of CORS is coming up in W3C/IETF liaison

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 13 Sep 2012 14:16:00 +1000
Cc: www-tag@w3.org
Message-Id: <1866FF63-136E-4FB6-98A1-45E0E4CE093C@mnot.net>
To: Jonathan A Rees <rees@mumble.net>

On 11/09/2012, at 11:20 PM, Jonathan A Rees <rees@mumble.net> wrote:

> 1. Mark Nottingham
> "[cors] Review"
> http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/0643.html
> May 2009
> 
> There are about 40 messages in the response thread. I haven't gone to
> the effort to check whether or how subsequent drafts (of which there
> have been several) addressed Mark's points.

That's one of many interactions I've had with them over the years about CORS.

In a nutshell, it was designed with a particular use case in mind -- allowing individual resources to control access, rather than having origin-wide access control (despite many other mechanisms being site-wide, e.g., P3P, sitemaps.xml, robots.txt, and the origin security model itself).

As a result, the design is quite convoluted, complex to implement, and very 'chatty' for some use cases. 

In discussion with some WG members, I think we came to a place where we agreed that having CORS move forward was sensible, since it's already implemented; perhaps CORS2 might be better one day (although that's undoubtedly going to take some time, if it ever happens).

Cheers,

--
Mark Nottingham   http://www.mnot.net/
Received on Thursday, 13 September 2012 04:16:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 September 2012 04:16:28 GMT