Re: [cors] Review

On Mon, 22 Jun 2009, Tyler Close wrote:
> 
> Ian Hickson's email seemed to suggest that IP-based authentication was 
> the primary reason to not consider the simpler approach I outlined.

I don't know if it is or was a primary reason, but it is reason enough.

Personally, I am not willing to risk adding new unprotected ways of making 
requests on the Web. If we were designing the Web from scratch then sure, 
there are many things that I would prefer to do in other ways. However, 
Web authors have made assumptions about the way the Web works, and we have 
no way to verify every deployment of those assumptions and check to see if 
they would still work with new assumptions. Sure, this forces us into 
designs that suck and generally are suboptimal. Such is life.

I understand that other people may be willing to take more risks or may 
want to take even fewer risks. I have no power in what the final decision 
is; I can only say what my opinion is. The only people who really get to 
decide here are the browser vendors. For better or worse, they seem to 
have decided to go with what CORS says today. If anyone wants to change 
that, it is the implementors they need to convince.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Monday, 22 June 2009 23:27:47 UTC