Re: file sharing services

I spoke to Jonas and several others at TPAC, and everyone agreed that for
web servers that are not behind a firewall, it's safe to
*always* Access-Control-Allow-Origin: *.

If this is true, as it seems to be, it would be great if the spec would
explicitly call out the reason for requiring the header for cookie-less
requests, and say that in non-firewall cases, it's always safe to include
the header.

Yehuda Katz
(ph) 718.877.1325


On Thu, Dec 1, 2011 at 7:53 AM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:

> On Mon, Nov 28, 2011 at 4:05 AM, Nicolas Mollet <nico.mollet@gmail.com>
> wrote:
> > Hello,
> >
> > I am new here, not sure if it's the good place to talk about my problem.
> >
> > What I understand, CORS is a new specification, and it was introduced in
> the
> > latest Firefox 8.
> > Many users started to edit their servers properties using
> > "Access-Control-Allow-Origin" property.
> >
> > What about servers we don't have access to, like the file sharing
> services
> > (Dropbox, Photobucket).
> >
> > For example, in my project, I hosted many files on Dropbox Public Folder
> :
> > now it is becoming useless because CORS is not enabled on Dropbox.
> > What should be done ? Can Dropbox change his policy according to CORS ?
> >
> > Does your group can contact file sharing services so they can adapt their
> > services to CORS ?
> >
> > Thank you very much,
>
> Yes, third-party hosting services need to add CORS headers as well if
> they want their stuff to be accessible from XHR, etc.  It's the same
> process for them as it is for a normal author.
>
> It's possible that someone from this mailing list could contact those
> services.  It's more likely to happen, though, if you do it yourself.
> ^_^
>
> ~TJ
>
>