- From: Marcos Caceres <w3c@marcosc.com>
- Date: Mon, 8 Apr 2013 10:10:03 +0100
- To: Robin Berjon <robin@w3.org>
- Cc: Janusz Majnert <j.majnert@samsung.com>, public-sysapps@w3.org
On Monday, April 8, 2013 at 10:04 AM, Robin Berjon wrote: > Hi Janusz, > > On 04/04/2013 10:26 , Janusz Majnert wrote: > > I think we have a perfectly good solution now: CSP + CORS. The problem, > > as Ming Jin stated in the first message, is that most servers are not > > yet CORS enabled, and even if they are, they will not recognise the > > "app://" origins of packaged apps. To make matters worse, we still don't > > know how the origin will be constructed, will it identify the application. > > I'm sorry, but I'm not sure I understand the limitations that you're > seeing here. > > In my experience, CORS-enabling a server, at least for the simple cases > that don't require a preflight, is actually fairly simple. Doubly so if > you consider that in most cases you want to access an API of some form, > which means that the required headers are under programmatic control and > therefore relatively easily changed. Sure enough, CORS-exposing static > files on a shared server, or coding up preflight checks, can be hard, > but I think those are closer to corner cases. > > As for recognising app: origins I'm not sure what the problem is. We can > make the app: authority predictable for a given application if we need > to. Agreed. This might also get around the need of having to fake the origin with a HTTP one. > Beyond that, I don't see what's special about app: that would be a > problem to servers. > Agreed. -- Marcos Caceres
Received on Monday, 8 April 2013 09:10:37 UTC