- From: Sam Ruby <rubys@intertwingly.net>
- Date: Fri, 27 Mar 2009 12:00:24 -0400
- To: Thomas Roessler <tlr@w3.org>
- CC: Dan Connolly <connolly@w3.org>, public-ietf-w3c <public-ietf-w3c@w3.org>, Mark Nottingham <mnot@mnot.net>
Thomas Roessler wrote: > On 27 Mar 2009, at 14:42, Thomas Roessler wrote: > >> Thanks Sam and Dan! >> >> From the notes, I can't quite tell whether Origin and CORS got >> discussed together or separately. That doesn't really match reality, >> as there's (at least in the view of some) > > "Discussing them separately ignores an important motivation for Origin" > is what I mean -- sorry for the unclear words. They were discussed separately. As you point out, that may have been unfortunate. I was unaware of the connection between the two. >> value to using the same header for CORS and more general cross site >> request forgery prevention. That aspect is, in my view, an important >> element in the cost/benefit analysis for Origin. >> >> Concerning "JavaScript sandboxing", I wonder what precisely people at >> the meeting had in mind. Is this another instance of the topic area >> of last December's workshop >> >> http://www.w3.org/2008/security-ws/ >> >> ... or is something different meant? That was mentioned in passing, simply as an area where additional security review may be warranted. It wasn't elaborated further. >> Regards, >> -- >> Thomas Roessler, W3C <tlr@w3.org> - Sam Ruby
Received on Friday, 27 March 2009 16:01:04 UTC