- From: Mike Samuel <mikesamuel@gmail.com>
- Date: Thu, 12 Oct 2017 15:43:05 -0400
- To: "Jack (Zhan, Hua Ping)" <jackiszhp@gmail.com>
- Cc: tink@tink.uk, "public-webapps@w3.org" <public-webapps@w3.org>
On Thu, Oct 12, 2017 at 3:03 PM, Jack (Zhan, Hua Ping) <jackiszhp@gmail.com> wrote: >> Chaals already posted a reminder about politeness and acceptable behaviour >> [1]. The Web Platform chairs prefer not to remove people from public-webapps >> unless it's necessary, but we will if we have to. >> >> Words like "stupid", and phrases like "incompetant professional", are not >> acceptable when referring to other people. Please be respectful, even if you >> disagree with someone's technical position. >> >> LĂ©onie, on behalf of the WebPlat co-chairs >> [1] https://lists.w3.org/Archives/Public/public-webapps/2017OctDec/0022.html > You are telling me people are very weak, can be hurt very easily. > I am sorry since I am from low society so I did not pay much attention > to the words. > Let's focus on the issue itself. > > If anyone think the approach I proposed is stupid, I am expecting > she/he can tell me straight forward: > what you proposed is stupid because of #1...., #2...... > And I will appreciate the feedback to the point. I would not get hurt > since I do not assign much value or power to those words. #1 To quote Travis, "A self-granting permission model just isn't secure--the permission grant must come from the resource being requested." #2 Most distributed systems use both public and non-public APIs. The public APIs are carefully vetted, but the non-public APIs often make assumptions about their inputs because those inputs come from a smaller, more tightly controlled set of endpoints. CORS isn't for public APIs. CORS makes it easier for components of a distributed system to collaborate via non-public APIs. When you suggest adding your site to bank.com's list, you are effectively saying "I should have access to non-public APIs because I am an integral part of that distributed system and the implementation of those non-public APIs took my service into account." That is simply not true. If you dislike the fact that bank.com's public APIs don't suffice, ask them to extend their public APIs. If you notice that bank.com has a non-public API that does what you want but is CORS restricted, you're out of luck. Even if CORS changed, the API is not public and they may change or remove it at any time.
Received on Thursday, 12 October 2017 19:43:31 UTC