- From: Tyler Close <tyler.close@gmail.com>
- Date: Mon, 22 Jun 2009 17:10:27 -0700
- To: Ian Hickson <ian@hixie.ch>
- Cc: Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Mon, Jun 22, 2009 at 4:27 PM, Ian Hickson<ian@hixie.ch> wrote: > The only people who really get to > decide here are the browser vendors. For better or worse, they seem to > have decided to go with what CORS says today. If anyone wants to change > that, it is the implementors they need to convince. >From what I've read, XDomainRequest can be viewed as a subset implementation of either CORS, or my simpler proposal. Actually, it seems to be closer to a subset of my proposal, since the documentation seems to suggest that credentials are not sent to any site, including the same origin. Perhaps a staged deployment like this will work best anyways, since I suspect XDomainRequest will uncover any actual problems with reliance on connectivity, or client IP address, for authentication. Hopefully browser implementers have been monitoring this discussion and have found it informative and useful. I'm happy to discuss further with them. > Sure, this forces us into designs that suck and generally are suboptimal. If they suck enough, they won't be used widely and so just create additional attack surface area, without providing useful functionality. I suspect the extra round-trips in CORS will cause many developers to simply avoid using that part of CORS; especially since it's not supported under IE. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Tuesday, 23 June 2009 00:11:08 UTC