Re: [cors] TAG request concerning CORS & Next Step(s)

"Henry S. Thompson" <ht@inf.ed.ac.uk>, 2009-06-24 18:22 +0100:

> Jonas Sicking writes:
> 
> > As Anne pointed out, others have also deployed partial support. In
> > fact, relatively speaking, CORS has seen an extraordinary amount of
> > browser deployment already.
> 
> One point of clarification: my (admittedly imperfect) understanding
> was that the most important parts of CORS have to be implemented
> _server_-side for the proposal to achieve its goals.  If that's true,
> browser deployment alone is insufficient.  Is that a misunderstanding
> on my part?

It's not true.

The spec was explicitly designed with a goal of minimizing any
server-side changes that would need to be made to enable it.

Some of the relevant requirements:

  - Must be deployable to IIS and Apache without requiring actions
    by the server administrator in a configuration where the user
    can upload static files, run serverside scripts (such as PHP,
    ASP, and CGI), control headers, and control authorization, but
    only do this for URLs under a given set of subdirectories on
    the server.

  - Must be able to deploy support for cross-origin GET requests
    without having to use server-side scripting (such as PHP, ASP,
    or CGI) on IIS and Apache.

  - Must not require that the server filters the entity body of
    the resource in order to deny cross-origin access to all
    resources on the server.

-- 
Michael(tm) Smith
http://people.w3.org/mike/

Received on Wednesday, 24 June 2009 18:00:46 UTC