W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] Review

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 17 Jun 2009 22:42:13 +0000 (UTC)
To: Tyler Close <tyler.close@gmail.com>
Cc: Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
Message-ID: <Pine.LNX.4.62.0906172239070.16244@hixie.dreamhostps.com>
On Wed, 17 Jun 2009, Tyler Close wrote:
> For those at work, watching the show, here's the beast we're looking 
> for:
> 1. A firewalled intranet, where servers behind the firewall have
> routable IP addresses (ie: not 10.*, or 192.168.*)
> 2. *and* where servers on the Internet are *not* accessed via an HTTP proxy
> 3. *and* there is a resource on a server behind the firewall that
> depends solely on connectivity for authentication (if you can get
> packets to me you're allowed to use me)
> 4. *and* where this resource does *not* treat GET and POST as equivalent methods
> 5. *and* where this resource checks that the Content-Type header on a
> POST request is either "application/x-www-form-urlencoded" or
> "text/plain"
> If you find a resource that meets the above criteria, then you've got a 
> resource that may be secure under CORS, but not under my alternate 
> proposal. Do we have any winners?

I believe we have such services at Google, though for obvious reasons I 
wouldn't want to elaborate on that.

Is this the propoal to which you refer?:


Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 17 June 2009 22:52:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC