- From: Arthur Barstow <Art.Barstow@nokia.com>
- Date: Wed, 24 Jun 2009 07:29:38 -0400
- To: public-webapps <public-webapps@w3.org>, Henry Thompson <ht@inf.ed.ac.uk>
Members of the Web Apps WG, Below is an email from Henry Thompson (forwarded with his permission), on behalf of the TAG [1], re the CORS spec [2]. Two things: 1. Please respond to at least this part of Henry's mail: [[ It appeared to us that a number of significant criticisms of the appropriateness of CORS have been submitted to the Working Group, from respected members of the Web Security community among others. These convinced us that there is a real possibility either that server-side deployment won't happen, or that even if it did the new functionality provided would, on the one hand, be insufficiently secure while, on the other, discouraging the provision of something more satisfactory. ]] 2. For those that have been active in defining the CORS model and/or CORS implementers - particularly Adam, Anne, Jonas, Hixie, Maciej, IE guys (whomever replaced Sunava) - please indicate: a) their level of interest in continuing to push the current CORS model; b) their implementation plans for CORS. Henry - regarding how the WG will address comments re CORS, I expect us to continue to use public-webapps for related discussions and to track issues using Tracker (see [3] for a list of open Issues related to CORS). -Regards, Art Barstow [1] http://www.w3.org/2001/tag/ [2] http://dev.w3.org/2006/waf/access-control/ [3] http://www.w3.org/2008/webapps/track/products/7 Begin forwarded message: > From: "ext Henry S. Thompson" <ht@inf.ed.ac.uk> > Date: June 23, 2009 5:18:51 PM EDT > To: "Barstow Art (Nokia-CIC/Boston)" <Art.Barstow@nokia.com>, > Charles McCathieNevile <chaals@opera.com> > Subject: TAG request concerning CORS > > In the course of exploring a range of issues around the general > question of JavaScript security [1] at our face-to-face meeting, the > TAG reviewed the same-origin restriction policy in user agents, > and the Cross-Origin Resource Sharing (CORS) WD [2] under development > in the WebApps WG. > > It appeared to us that a number of significant criticisms of the > appropriateness of CORS have been submitted to the Working Group, from > respected members of the Web Security community among others. These > convinced us that there is a real possibility either that server-side > deployment won't happen, or that even if it did the new functionality > provided would, on the one hand, be insufficiently secure while, on > the > other, discouraging the provision of something more satisfactory. > > Please get back to us with some details of how those criticisms will > be addressed, so that widespread server-side deployment will not only > occur but also be beneficial. > > Henry S. Thompson, on behalf of the TAG > > [1] http://www.w3.org/2001/tag/2009/06/23-agenda#security > [2] http://www.w3.org/TR/access-control/ > - -- > Henry S. Thompson, School of Informatics, University of > Edinburgh
Received on Wednesday, 24 June 2009 11:35:43 UTC