W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] TAG request concerning CORS & Next Step(s)

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 24 Jun 2009 14:39:32 -0700
Cc: public-webapps <public-webapps@w3.org>, Henry Thompson <ht@inf.ed.ac.uk>
Message-id: <2925A456-FC1D-4356-87FC-5810BF52E5B8@apple.com>
To: Arthur Barstow <art.barstow@nokia.com>

On Jun 24, 2009, at 4:29 AM, Arthur Barstow wrote:

> Members of the Web Apps WG,
> Below is an email from Henry Thompson (forwarded with his  
> permission), on behalf of the TAG [1], re the CORS spec [2].
> Two things:
> 1. Please respond to at least this part of Henry's mail:
> [[
> It appeared to us that a number of significant criticisms of the
> appropriateness of CORS have been submitted to the Working Group, from
> respected members of the Web Security community among others. These
> convinced us that there is a real possibility either that server-side
> deployment won't happen, or that even if it did the new functionality
> provided would, on the one hand, be insufficiently secure while, on  
> the
> other, discouraging the provision of something more satisfactory.
> ]]
> 2. For those that have been active in defining the CORS model and/or  
> CORS implementers - particularly Adam, Anne, Jonas, Hixie, Maciej,  
> IE guys (whomever replaced Sunava) - please indicate:
> a) their level of interest in continuing to push the current CORS  
> model;

Apple and the WebKit project would be reluctant to make major changes  
to the model at this point unless its security was broken in ways that  
could not reasonably be patched with minor changes.

> b) their implementation plans for CORS.

We have shipped what I believe is an essentially complete  
implementation of CORS as of Safari 4. I believe it is also present or  
soon will be in other WebKt-based browsers, such as Google Chrome.

Received on Wednesday, 24 June 2009 21:40:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC