- From: <bugzilla@jessica.w3.org>
- Date: Fri, 21 Jan 2011 19:07:57 +0000
- To: public-webapps@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=11835 Summary: Please do *not* require a same-origin restriction in user agents (as currently specified under "Security Considerations")! This cross-origin data leakage security issues have already been addressed by the CORS specification (http://www.w3.org/TR/cors/). Product: WebAppsWG Version: unspecified Platform: Other URL: http://www.whatwg.org/specs/web-apps/current-work/#top OS/Version: other Status: NEW Severity: normal Priority: P3 Component: Server-Sent Events (editor: Ian Hickson) AssignedTo: ian@hixie.ch ReportedBy: contributor@whatwg.org QAContact: member-webapi-cvs@w3.org CC: mike@w3.org, public-webapps@w3.org Specification: http://dev.w3.org/html5/eventsource/ Section: http://www.whatwg.org/specs/web-apps/current-work/complete.html#top Comment: Please do *not* require a same-origin restriction in user agents (as currently specified under "Security Considerations")! This cross-origin data leakage security issues have already been addressed by the CORS specification (http://www.w3.org/TR/cors/). EventSource should simply adopt the policies outlined there. I consider this a critical flaw, as cross-domain requests are essential to working around useragent connection limits. Unless this is addressed, developers will simply ignore native useragent implementations and write their own, XHR+CORS-based, APIs (as they're already doing.) This spec will be nothing more than tepid inspiration for those 3rd-party solutions, and ignored otherwise. Posted from: 66.220.144.74 -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
Received on Friday, 21 January 2011 19:07:59 UTC