- From: Arthur Barstow <Art.Barstow@nokia.com>
- Date: Tue, 13 Oct 2009 07:14:01 -0400
- To: ext Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, "Mark S. Miller" <erights@google.com>
- Cc: Henry Thompson <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, public-webapps <public-webapps@w3.org>
On Oct 13, 2009, at 1:49 AM, ext Adam Barth wrote: >> If this is not access control, I must ask: what do you mean by >> "access control"? > > I'm not sure the abstract question of whether CORS is an access > control system is that meaningful. We should concentrate on the > following questions: > > 1) Does CORS introduce security vulnerabilities into legacy servers > that are unaware of the CORS protocol? > 2) How well does CORS support the simple use cases of cross-origin > resource sharing? > 3) Does CORS prevent sophisticated developers from implementing > advanced uses cases? > > Do you find CORS problematic for any of the above questions? Do you > think we should be concerned with other questions? Agree these are the right questions. Thanks Adam. I noticed "access control" doesn't even occur in the spec any more except for the document's shortname of "access-control" and we may change that name when the doc is next published. -Regards, Art Barstow
Received on Tuesday, 13 October 2009 11:15:44 UTC