Re: CORS & ISSUE-108

My recollection of the status of ISSUE-108 is that CORS was going to
provide functionality equivalent to that of UMP when the CORS
credentials flag is false. CORS was also also going to expand its
Security Considerations section to explain the Confused Deputy issues,
possibly by borrowing text from UMP. Are you saying that work has been
completed or it will not be undertaken? The current editor's draft of
CORS does mention a credentials flag, but I haven't found much detail
on it. For example, what effect does it have on use of the browser's
request cache?


On Wed, Nov 17, 2010 at 6:40 AM, Anne van Kesteren <> wrote:
> has been open for a year and
> we have made little concrete progress on it unfortunately. Meanwhile, CORS
> is shipping, deployed and nobody is planning to take it out or down as far
> as I know. I think it is time to move on and go to Last Call.
> I am open to spending a few more days on finding a solution to this problem
> we can all agree with, but if we have nothing by December 1 and at that
> point it does not seem likely it will get anywhere we should go for a Last
> Call CfC (or maybe straight to a formal vote) and call it a day.
> --
> Anne van Kesteren

Received on Tuesday, 23 November 2010 23:05:31 UTC