Re: [W3C TCP and UDP Socket API]: Status and home for this specification

It's a fair point, but without an origin authoritative opt-in it's not
gonna happen no matter what. Imagine say the displeasure of
awesomeEmail2000.com if trough some manner of XSS exploit (say in google
adds) suddenly millions of web-visitors connect to their email server
simultaneously...

On Wed, Apr 1, 2015 at 6:44 PM, Jonas Sicking <jonas@sicking.cc> wrote:

> On Wed, Apr 1, 2015 at 6:37 PM, Florian Bösch <pyalot@gmail.com> wrote:
> > On Wed, Apr 1, 2015 at 6:02 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> >>
> >> Not saying that we can use CORS to solve this, or that we should
> >> extend CORS to solve this. My point is that CORS works because it was
> >> specified and implemented across browsers. If we'd do something like
> >> what Domenic proposes, I think that would be true here too.
> >>
> >> However, in my experience the use case for the TCPSocket and UDPSocket
> >> APIs is to connect to existing hardware and software systems. Like
> >> printers or mail servers. Server-side opt-in is generally not possible
> >> for them.
> >
> > Isn't the problem that these existing systems can't be changed (let's
> say an
> > IRC server) to support say WebSockets, and thus it'd be convenient to be
> > able to TCP to it. I think that is something CORS-like could actually
> solve.
> > You could deploy (on the same origin) a webserver that handles the opt-in
> > for that origin/port/protocol and then the webserver can open a
> connection
> > to it. For example:
> >
> > var socket = new Socket(); socket.connect('example.com', 194);
> >
> > ->
> >
> > RAW-SOCKET-OPTIONS HTTP/1.1
> > port: 194
> > host: example.com
> >
> > ->
> >
> > HTTP/1.1 200 OK
> > Access-Control-Allow-Origin: example.com
> >
> > -> browser opens a TCP connection to example.com 194.
> >
> > So you don't need to upgrade the existing system for server
> authorization.
> > You just need to deploy a (http compatible) authorative source on the
> same
> > origin that can give a browser the answer it desires.
>
> Again, the use case here is to enable someone to develop, for example,
> a browser base mail client which has support for POP/IMAP/SMTP.
>
> It's going to be very hard for that email client to get any
> significant user base if their "install steps" are:
>
> 1. Go to awesomeEmail2000.com
> 2. Contact your mail provider and ask them to install a http server on
> their mail server
> 3. There is no step three :)
>
> / Jonas
>

Received on Wednesday, 1 April 2015 16:48:18 UTC