- From: Markus Ernst <derernst@gmx.ch>
- Date: Tue, 16 Nov 2010 21:20:25 +0100
Am 16.11.2010 19:12 schrieb Tab Atkins Jr.: > On Tue, Nov 16, 2010 at 10:06 AM, Boris Zbarsky<bzbarsky at mit.edu> wrote: >> On 11/16/10 12:56 PM, Tab Atkins Jr. wrote: >>>> - it is applicable at the client side without scripting >>> >>> This is not possible, for the simple reason that the whole point of >>> CORS is to protect server resources. If you could deal with CORS >>> purely on the client side, you'd be allowing the page author to >>> determine if they themself are allowed to access a file on another >>> server. That's a pretty obvious inversion of responsibility. ^_^ >> >> Well, more precisely there is nothing that needs to be done on the client >> side for CORS, right? > > Ah, if that's what Markus was getting at, then yes. CORS requires > *zero* work on the client side, since it's completely done in the > server-browser interaction. The entirety of the client's interaction > in the process is the initial request for a resource. That is great news. Adding a header via a server-side script is indeed easy enough. (As I did not find any HTML attributes or whatever in the CORS spec, I was afraid that the use of XHR would be necessary to call a cross-origin page in an Iframe - which looked like a huge overhead and also an accessibility issue to me.)
Received on Tuesday, 16 November 2010 12:20:25 UTC