Re: Request for Review: Cross-Origin Resource Sharing

Hi Doug,
OpenAjax Alliance is highly interested in the security aspects of the CORS
spec, but AFAIK, there isn't anyone doing careful monitoring of spec
changes or email list discussion. Sounds like it is time for me to solicit
input from our security committee on the most recent spec.

Jon



                                                                           
             Doug Schepers                                                 
             <schepers@w3.org>                                             
             Sent by:                                                   To 
             public-webapps-re         ietf-http-wg@w3.org,                
             quest@w3.org              "public-webapps@w3.org"             
                                       <public-webapps@w3.org>             
                                                                        cc 
             04/03/2009 04:12                                              
             PM                                                    Subject 
                                       Request for Review: Cross-Origin    
                                       Resource Sharing                    
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi-

The W3C Web Applications WG is actively seeking review for the
Cross-Origin Resource Sharing (CORS) specification [1] from parties
interested in Web security.  This specification currently depends upon
the proposed Origin header, which started within the CORS specification
but has been split out as an IETF draft, The HTTP Origin Header [2].

It should be noted that the Origin header has received some criticism,
and the WebApps WG is discussing whether it may be sufficient for use
with the use cases covered by CORS.  The CORS specification is currently
being implemented by major browsers, including at least Internet
Explorer 8, beta versions of Firefox 3.5, and beta versions of Safari 4.
  Therefore, it is of particular importance and urgency that we receive
formal review of CORS.

A previous request for review [1] (when this specification was known as
"Access Control for Cross-Site Requests") did not result in sufficient
technical response during the last year and a half.  It is difficult for
the WebApps WG to determine if this was due to lack of interest, lack of
perceived problems, or belief that review of the Origin header draft was
sufficient.

Explicit review will help us assess how to move forward with this work
in a way that is mindful of Web security architecture.  We would
appreciate this call for review being forwarded to any lists or people
that should be aware of it.


[1] http://www.w3.org/TR/cors/
[2] http://tools.ietf.org/html/draft-abarth-origin-00
[3] http://lists.w3.org/Archives/Public/ietf-http-wg/2007OctDec/0298.html

Best Regards-
-Doug Schepers
W3C Team Contact, SVG and WebApps WGs

Received on Saturday, 4 April 2009 00:07:07 UTC