[whatwg] AppCache feature request: An https manifest should be able to list resources from other https origins.

On Fri, Jan 28, 2011 at 2:13 PM, Michael Nordman <michaeln at google.com> wrote:
> On Thu, Jan 27, 2011 at 8:30 PM, Jonas Sicking <jonas at sicking.cc> wrote:
>> On Thu, Jan 27, 2011 at 5:16 PM, Michael Nordman <michaeln at google.com> wrote:
>>> A CORS based answer to this would work for the folks that have
>>> expressed an interest in this capability to me.
>>>
>>> cc'ing some other appcache implementors too... any thoughts?
>>
>> CORS has the semantics of "you're allowed to make these types of
>> requests to this resource, and you're allowed to read the response
>> from such requests". This is very different from what is being
>> requested here as I understand it?
>>
>> So either we'd need to add more headers to CORS, or come up with some
>> other header-based solution I think.
>>
>> / Jonas
>
> Seems like CORS describes a protocol more than prescribes semantics?
> Is it really necessary to build up another protocol. From the
> abstract,
> "Specifications that enable an API to make cross-origin requests to
> resources can use the algorithms defined by this specification."

As long as you don't confuse webauthors. I.e. if an author sends:

access-control-allow-origin: *

that *only* means that any site can read that response. I.e. that it
doesn't come with any unrelated side effects such as cache pinning or
the like.

/ Jonas

Received on Friday, 28 January 2011 20:52:58 UTC