- From: Doug Schepers <schepers@w3.org>
- Date: Fri, 03 Apr 2009 19:12:30 -0400
- To: ietf-http-wg@w3.org, "public-webapps@w3.org" <public-webapps@w3.org>
Hi- The W3C Web Applications WG is actively seeking review for the Cross-Origin Resource Sharing (CORS) specification [1] from parties interested in Web security. This specification currently depends upon the proposed Origin header, which started within the CORS specification but has been split out as an IETF draft, The HTTP Origin Header [2]. It should be noted that the Origin header has received some criticism, and the WebApps WG is discussing whether it may be sufficient for use with the use cases covered by CORS. The CORS specification is currently being implemented by major browsers, including at least Internet Explorer 8, beta versions of Firefox 3.5, and beta versions of Safari 4. Therefore, it is of particular importance and urgency that we receive formal review of CORS. A previous request for review [1] (when this specification was known as "Access Control for Cross-Site Requests") did not result in sufficient technical response during the last year and a half. It is difficult for the WebApps WG to determine if this was due to lack of interest, lack of perceived problems, or belief that review of the Origin header draft was sufficient. Explicit review will help us assess how to move forward with this work in a way that is mindful of Web security architecture. We would appreciate this call for review being forwarded to any lists or people that should be aware of it. [1] http://www.w3.org/TR/cors/ [2] http://tools.ietf.org/html/draft-abarth-origin-00 [3] http://lists.w3.org/Archives/Public/ietf-http-wg/2007OctDec/0298.html Best Regards- -Doug Schepers W3C Team Contact, SVG and WebApps WGs
Received on Friday, 3 April 2009 23:12:47 UTC