- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Wed, 24 Nov 2010 04:36:51 +0100
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
* Jonas Sicking wrote: >other person: Hmm.. we might want to disable cross-site posting for >forms some day, so is it such a good idea that cors enables it? >me: If we do disable it for forms we'll just disable it for cors too. >So much content will break for forms that the cors breakage won't be >what we're concerned about. >other person: Yeah, true. At the point where browser vendors actually disable cross site form posts it won't break a lot of sites, since browser vendors are not in the habit of making changes that break a lot of sites. At best we'd have a vendor like Microsoft less concerned with having only one code path for everything who'd disable them in certain modes or based on certain headers or something like that, so they will slowly be phased out, alongside efforts to change major sites and educating developers. If not doing cross site posts without authorization is a goal, teaching authors it's fine to make cross site posts without authorization undermines that goal. It means more work for everyone to get to a point where browser vendors would even have this discussion. What you are saying amounts to telling authors "Hey, here is a new way to do cross site posts; btw, if you use this, we are planning on breaking your site and thousands of others." That's not very reasonable. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Wednesday, 24 November 2010 03:37:25 UTC