- From: Michael(tm) Smith <mike@w3.org>
- Date: Thu, 25 Jun 2009 03:00:25 +0900
- To: "Henry S. Thompson" <ht@inf.ed.ac.uk>
- Cc: Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
"Henry S. Thompson" <ht@inf.ed.ac.uk>, 2009-06-24 18:22 +0100:
> Jonas Sicking writes:
>
> > As Anne pointed out, others have also deployed partial support. In
> > fact, relatively speaking, CORS has seen an extraordinary amount of
> > browser deployment already.
>
> One point of clarification: my (admittedly imperfect) understanding
> was that the most important parts of CORS have to be implemented
> _server_-side for the proposal to achieve its goals. If that's true,
> browser deployment alone is insufficient. Is that a misunderstanding
> on my part?
It's not true.
The spec was explicitly designed with a goal of minimizing any
server-side changes that would need to be made to enable it.
Some of the relevant requirements:
- Must be deployable to IIS and Apache without requiring actions
by the server administrator in a configuration where the user
can upload static files, run serverside scripts (such as PHP,
ASP, and CGI), control headers, and control authorization, but
only do this for URLs under a given set of subdirectories on
the server.
- Must be able to deploy support for cross-origin GET requests
without having to use server-side scripting (such as PHP, ASP,
or CGI) on IIS and Apache.
- Must not require that the server filters the entity body of
the resource in order to deny cross-origin access to all
resources on the server.
--
Michael(tm) Smith
http://people.w3.org/mike/
Received on Wednesday, 24 June 2009 18:00:46 UTC