- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 08 Oct 2009 16:55:59 +0200
- To: "Arthur Barstow" <art.barstow@nokia.com>, "Thomas Roessler" <tlr@w3.org>, "Tyler Close" <tyler.close@gmail.com>, "Jonas Sicking" <jonas@sicking.cc>
- Cc: public-webapps <public-webapps@w3.org>
On Tue, 14 Apr 2009 14:34:11 +0200, Arthur Barstow <art.barstow@nokia.com> wrote: > On Apr 14, 2009, at 6:33 AM, ext Thomas Roessler wrote: >> So, to pick up on this discussion again -- I don't think we've had a >> useful conclusion whether or not the client-side JavaScript code ought >> to explicitly enable cross-site requests (as Tyler suggests, and as IE >> implements in XDR) or not. >> >> All things considered, any thoughts? > > I tend to think that when adding new semantics, it generally makes sense > to add new syntax to support those semantics and in this case that it > would be better to err on the side of caution even if the mechanism > chosen isn't particularly friendly to the app developer. > > Yes, it would be good to get others thoughts on this, particularly those > that have implemented CORS. If you still feel this way I suggest you put it on the agenda for TPAC so we can briefly discuss it there. Otherwise I suggest we consider this resolved considering that implementations are shipping. I personally think keeping the API the way it is now is nicer and the security issue seems highly theoretical. -- Anne van Kesteren http://annevankesteren.nl/
Received on Thursday, 8 October 2009 14:56:44 UTC