- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 11 Jun 2012 14:41:21 +0200
- To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
- Cc: W3C Web App Security WG <public-webappsec@w3.org>
On Wed, Jun 6, 2012 at 1:08 AM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote: > Brad's incorporation of my comments into CORS sec considerations is largely > fine by me. I've attached a further-redlined version (both .docx and .pdf) > of the redlined .pdf he had sent to the list with some modest mods. 1) Doing this as PDF/Word documents makes it extremely painful to integrate. 2) I'm not sure the new text is actually better. E.g. it contains the phrase "This specification defines how to authorize an instance of an application from a foreign origin, executing in the user agent, to access the representation of the resource in an HTTP response." Origin is a user-agent centric concept. Turning it around seems unwise and is inconsistent with the rest of the specification and any other specification on the subject. It's also not clear to me we need to reiterate what http://tools.ietf.org/html/rfc6454 already explains. That only increases the room for error. -- Anne — Opera Software http://annevankesteren.nl/ http://www.opera.com/
Received on Monday, 11 June 2012 12:41:50 UTC