Request for Review: Cross-Origin Resource Sharing

Hi-

The W3C Web Applications WG is actively seeking review for the 
Cross-Origin Resource Sharing (CORS) specification [1] from parties 
interested in Web security.  This specification currently depends upon 
the proposed Origin header, which started within the CORS specification 
but has been split out as an IETF draft, The HTTP Origin Header [2].

It should be noted that the Origin header has received some criticism, 
and the WebApps WG is discussing whether it may be sufficient for use 
with the use cases covered by CORS.  The CORS specification is currently 
being implemented by major browsers, including at least Internet 
Explorer 8, beta versions of Firefox 3.5, and beta versions of Safari 4. 
  Therefore, it is of particular importance and urgency that we receive 
formal review of CORS.

A previous request for review [1] (when this specification was known as 
"Access Control for Cross-Site Requests") did not result in sufficient 
technical response during the last year and a half.  It is difficult for 
the WebApps WG to determine if this was due to lack of interest, lack of 
perceived problems, or belief that review of the Origin header draft was 
sufficient.

Explicit review will help us assess how to move forward with this work 
in a way that is mindful of Web security architecture.  We would 
appreciate this call for review being forwarded to any lists or people 
that should be aware of it.


[1] http://www.w3.org/TR/cors/
[2] http://tools.ietf.org/html/draft-abarth-origin-00
[3] http://lists.w3.org/Archives/Public/ietf-http-wg/2007OctDec/0298.html

Best Regards-
-Doug Schepers
W3C Team Contact, SVG and WebApps WGs

Received on Friday, 3 April 2009 23:12:47 UTC