- From: Maciej Stachowiak <mjs@apple.com>
- Date: Thu, 05 Nov 2009 21:59:44 -0800
- To: Tyler Close <tyler.close@gmail.com>
- Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
Hi Tyler, On Nov 5, 2009, at 5:48 PM, Tyler Close wrote: > Closing remark: > > In another thread, you've written "I do think that a way to do an > anonymous XHR is justified", so I don't know how much sense it makes > to continue this thread. You put so much effort into this email that I > felt I owed you a response. Let me make sure I understand your position and overall goal in this discussion. Is it: A) An API to do anonymous XHR (such as GuestXHR) should be provided *AND* CORS should be abandoned (and perhaps removed from implementations shipping it. OR: B) An API to do anonymous XHR (such as GuestXHR) should be added, but you can live with CORS continuing to exist. I thought your position was (A). If it is in fact (B), then perhaps we have all invested more energy than necessary in this debate, because I don't think (B) is especially controversial. But if your position is (A), then the statement you quoted wasn't meant to agree with that position (in case it wasn't clear). That being said, I feel the input from you and Mark and the ensuing discussion has helped the Working Group get a better understanding of the security issues in this area, and I believe it will help us make a high-quality Security Considerations section. So if you have further replies in mind that would help inform the conversation, then please feel encouraged to send them. Regards, Maciej
Received on Friday, 6 November 2009 06:00:19 UTC