- From: Kenton Varda <kenton@google.com>
- Date: Thu, 17 Dec 2009 16:49:10 -0800
- To: Ian Hickson <ian@hixie.ch>
- Cc: public-webapps <public-webapps@w3.org>
- Message-ID: <4112ecad0912171649j243aff2bgf58ca9a18adeac1c@mail.gmail.com>
On Thu, Dec 17, 2009 at 12:58 PM, Ian Hickson <ian@hixie.ch> wrote: > With CORS, I can trivially (one line in the .htaccess file for my site) > make sure that no sites can use XBL files from my site other than my > sites. My sites don't do any per-user tracking; doing that would involve > orders of magnitude more complexity. > I was debating about one particular use case, and this one that you're talking about now is completely different. I can propose a different solution for this case, but I think someone will just change the use case again to make my new solution look silly, and we'll go in circles. > How can an origin voluntarily identify itself in an unspoofable fashion? > Without running scripts? > It can't. My point was that for simple non-security-related statistics gathering, spoofing is not a big concern. People can spoof browser UA strings but we still gather statistics on them. > I have no problem with offering a feature like UM in CORS. My objection is > to making the simple cases non-trivial, e.g. by never including Origin > headers in any requests. > Personally I'm not actually arguing against standardizing CORS. What I'm arguing is that UM is the natural solution for software designed in an object-oriented, loosely-coupled way. I'm also arguing that loosely-coupled object-oriented systems are more powerful and better for users.
Received on Friday, 18 December 2009 00:50:27 UTC