- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 24 Jun 2009 12:23:49 -0700
- To: "Henry S. Thompson" <ht@inf.ed.ac.uk>
- Cc: Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
On Wed, Jun 24, 2009 at 10:22 AM, Henry S. Thompson<ht@inf.ed.ac.uk> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jonas Sicking writes: > >> As Anne pointed out, others have also deployed partial support. In >> fact, relatively speaking, CORS has seen an extraordinary amount of >> browser deployment already. > > One point of clarification: my (admittedly imperfect) understanding > was that the most important parts of CORS have to be implemented > _server_-side for the proposal to achieve its goals. If that's true, > browser deployment alone is insufficient. Is that a misunderstanding > on my part? I'm not sure how to measure what parts are more important than others? But both server support and browser support is needed yes. In order to support the most simple use cases (and what we at mozilla have perceived to be the most requested use cases) the server needs to add one header: Access-Control-Allow-Origin: * to their responses. In the technologies I have looked at or used this has always been quite simple. It is also safe to do for any server connected to the public internet as it won't expose any more data than can be retrived using a simple request from any HTTP client. Generally with web technologies server support tends to lag since many developers aren't interested in writing code that only works for part of their user base. So basically the first step to get cross browser support in new releases, second is to wait for old releases to loose market share, third is when you'll start seeing wide website usage. That said, we should of course ensure that the current spec is something that servers are interested in deploying, once the marketshare is there. If there are security issues they of course won't be. So if you know of security problems (other than the one we already know about), or have other reasons to believe that servers aren't interested in deploying, definitely speak up as soon as possible. / Jonas
Received on Wednesday, 24 June 2009 19:24:49 UTC