- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 10 May 2010 23:34:48 -0400
- To: nathan@webr3.org
- CC: public-webapps <public-webapps@w3.org>
On 5/10/10 11:14 PM, Nathan wrote: >>> 2: Implement a user UI confirmation screen to allow JS applications xhr >>> access to other origin resources. (Similar to the allow desktop >>> notifications scenario in chromium) >> >> Under what conditions would the typical user be able to make an >> informed decision here? > > under the same conditions that it's the web and they can put any address > in to the address bar that they want? That's not the same thing as giving site A access to data from site B. > surely people are free to make decisions Yes, but forcing people to make decisions given insufficient information is not a nice thing to do, exactly. It happens all the time, but purposefully making it happen more often is not called for. > and indeed make mistakes + learn from them. Not when their mistakes don't really affect them. See "externality". >> You're being _way_ too optimistic about this. "corporate sys admins" >> are still using HTML blacklists in HTML filters on a routine basis, >> after years of education attempts... > > Yes I'm probably being way too optimistic, incompetency of some doesn't > mean it's not a better approach. It might if the "incompetency" is widespread enough. We need to design for the world we live in, not some utopia where everyone has infinite amounts of time to study everything and be an expert on it. > I get the feeling I'm not the first person to say this, and certainly > not the last - yet feel a bit of a brick wall here - who's web is this > again? All of ours. > no.. CORS is needed if you want to perform any actions cross-site, with > or without credentials, yeah? No. If you don't need credentials, then: 1) You could have the UA ask your server to perform the action cross-site itself. No one's stopping you from doing that. 2) You could use one of the APIs being proposed that do not send user credentials and hence might well not require CORS, since they will only be able to fetch public data (modulo the firewall/routing issue, which will indeed need to be resolved). > And for the use-case where there are user credentials needed then the browsers all ready do a pretty good job of > asking for credentials / certs and letting the user decide what to do; In the 99% common case they just send the credentials automatically without asking the user anything. > it's the one case where CORS totally isn't needed because the server at > the other side does it's own auth* ... No. The whole point here is that just because a user visits your site doesn't mean that your script should be able to impersonate that user when talking to other sites. That means either not allowing your script to talk to other sites unless they explicitly say they're ready for that sort of thing (current setup + CORS) or not allowing your script to impersonate the user in the requests it sends. -Boris
Received on Tuesday, 11 May 2010 03:35:22 UTC