- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 22 Jun 2009 12:33:33 -0700
- To: Tyler Close <tyler.close@gmail.com>
- Cc: Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Mon, Jun 22, 2009 at 11:30 AM, Tyler Close<tyler.close@gmail.com> wrote: > It appears to me that almost all > the complexity of CORS comes from its attempt to protect resources > that rely solely on IP-based authentication. I'm not sure this is the case. I think the reasoning goes like this: 1) We can't strip all the credential information from cross-origin requests. 2) There's a large amount of value is supporting all the normal credentials associated with HTTP requests. 3) Given (1), we have to deal with the credential issue. Given (2), we get a large benefit from from supporting all kinds of credentials. 4) Given (3), some folks have made a judgement call that value of supporting credentials is worth the complexity. > So let's take a look at the ACM digital library case. Is there some > document that describes its use of IP-based authentication? Does the > resource use this protection to authenticate POST requests, or just > GET requests? I'm not familiar with exactly how it works, but the basic idea is as follows: 1) Universities (and other folks) pay money to ACM digital library to give their networks access to the library. 2) When I visit the library from the university network, I can download papers, etc. 3) When I visit the library from home, I browse the index, but I can't download the papers. I seem to recall that the amount the university pays is somehow related to how much they use the library, but I don't know what the mechanism is for this or whether UC Berkeley buys an all-you-can-eat subscription. Adam
Received on Monday, 22 June 2009 19:34:31 UTC