- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 22 Jun 2009 23:27:14 +0000 (UTC)
- To: Tyler Close <tyler.close@gmail.com>
- Cc: Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Mon, 22 Jun 2009, Tyler Close wrote: > > Ian Hickson's email seemed to suggest that IP-based authentication was > the primary reason to not consider the simpler approach I outlined. I don't know if it is or was a primary reason, but it is reason enough. Personally, I am not willing to risk adding new unprotected ways of making requests on the Web. If we were designing the Web from scratch then sure, there are many things that I would prefer to do in other ways. However, Web authors have made assumptions about the way the Web works, and we have no way to verify every deployment of those assumptions and check to see if they would still work with new assumptions. Sure, this forces us into designs that suck and generally are suboptimal. Such is life. I understand that other people may be willing to take more risks or may want to take even fewer risks. I have no power in what the final decision is; I can only say what my opinion is. The only people who really get to decide here are the browser vendors. For better or worse, they seem to have decided to go with what CORS says today. If anyone wants to change that, it is the implementors they need to convince. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 22 June 2009 23:27:47 UTC