- From: Michael(tm) Smith <mike@w3.org>
- Date: Thu, 25 Jun 2009 03:00:25 +0900
- To: "Henry S. Thompson" <ht@inf.ed.ac.uk>
- Cc: Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
"Henry S. Thompson" <ht@inf.ed.ac.uk>, 2009-06-24 18:22 +0100: > Jonas Sicking writes: > > > As Anne pointed out, others have also deployed partial support. In > > fact, relatively speaking, CORS has seen an extraordinary amount of > > browser deployment already. > > One point of clarification: my (admittedly imperfect) understanding > was that the most important parts of CORS have to be implemented > _server_-side for the proposal to achieve its goals. If that's true, > browser deployment alone is insufficient. Is that a misunderstanding > on my part? It's not true. The spec was explicitly designed with a goal of minimizing any server-side changes that would need to be made to enable it. Some of the relevant requirements: - Must be deployable to IIS and Apache without requiring actions by the server administrator in a configuration where the user can upload static files, run serverside scripts (such as PHP, ASP, and CGI), control headers, and control authorization, but only do this for URLs under a given set of subdirectories on the server. - Must be able to deploy support for cross-origin GET requests without having to use server-side scripting (such as PHP, ASP, or CGI) on IIS and Apache. - Must not require that the server filters the entity body of the resource in order to deny cross-origin access to all resources on the server. -- Michael(tm) Smith http://people.w3.org/mike/
Received on Wednesday, 24 June 2009 18:00:46 UTC