- From: Tyler Close <tyler.close@gmail.com>
- Date: Mon, 16 Nov 2009 10:09:27 -0800
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
On Thu, Nov 5, 2009 at 9:59 PM, Maciej Stachowiak <mjs@apple.com> wrote: > > Hi Tyler, > > On Nov 5, 2009, at 5:48 PM, Tyler Close wrote: > >> Closing remark: >> >> In another thread, you've written "I do think that a way to do an >> anonymous XHR is justified", so I don't know how much sense it makes >> to continue this thread. You put so much effort into this email that I >> felt I owed you a response. > > Let me make sure I understand your position and overall goal in this > discussion. Is it: > > A) An API to do anonymous XHR (such as GuestXHR) should be provided *AND* > CORS should be abandoned (and perhaps removed from implementations shipping > it. > > OR: > > B) An API to do anonymous XHR (such as GuestXHR) should be added, but you > can live with CORS continuing to exist. > > > I thought your position was (A). If it is in fact (B), then perhaps we have > all invested more energy than necessary in this debate, because I don't > think (B) is especially controversial. But if your position is (A), then the > statement you quoted wasn't meant to agree with that position (in case it > wasn't clear). MarkM and I have been arguing for position (A), and will continue to do so, but getting an agreement on (B) is valuable. When I saw your agreement to (B), I wanted to make sure that didn't get lost in the noise around the debate of (A). To further assist this, MarkM and I are currently working on a fully formed specification for GuestXHR. I'm tempted to push on that and pause the debate on (A) until we have WG consensus on this new spec. With the good tool in place, arguing to drop the bad one carries less risk. > That being said, I feel the input from you and Mark and the ensuing > discussion has helped the Working Group get a better understanding of the > security issues in this area, and I believe it will help us make a > high-quality Security Considerations section. So if you have further replies > in mind that would help inform the conversation, then please feel encouraged > to send them. I'm glad you've found this discussion worthwhile and thank you for saying so. I think the slide set you put together was also a great help to the discussion. We do have further analysis we'd like to contribute on (A) and DBAD, but for at least the short term, I'd like to focus on getting GuestXHR in place. Expect a first draft of that this week... Thanks, --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Monday, 16 November 2009 18:10:07 UTC