[whatwg] AppCache feature request: An https manifest should be able to list resources from other https origins. from Michael Nordman on 2011-01-31 (public-whatwg-archive@w3.org from January 2011)

From: Michael Nordman <michaeln@google.com>
Date: Mon, 31 Jan 2011 14:57:11 -0800
Message-ID: <AANLkTimj=6XCWXCTUVm6O49Y7bLPwEv71psvFfo+PJ1W@mail.gmail.com>

I don't  fully understand your emphasis on the implied semantics of a
CORS request. You say it *only* means a site can read the response. I
don't see that in the draft spec. Cross-origin XHR may have been the
big motivation behind CORS, but the mechanisms described in the spec
appear agnostic with regard to use cases and the abstract section
seems to invite additional use cases.

I do appreciate the using CORS for this feels like blurring the lines
between two different things.  I wonder if there should be additional
request/response headers in CORS to convey the intended "use" of the
resource and whether that particular "use" is allowed?

If not CORS, what mechanism would you suggest to allow HTTPS resources
from another origin to be including in a cache manifest file? Any
means for the 'other' origin to opt in will suite my needs.

On Fri, Jan 28, 2011 at 8:52 PM, Jonas Sicking <jonas at sicking.cc> wrote:
> On Fri, Jan 28, 2011 at 2:13 PM, Michael Nordman <michaeln at google.com> wrote:
>> On Thu, Jan 27, 2011 at 8:30 PM, Jonas Sicking <jonas at sicking.cc> wrote:
>>> On Thu, Jan 27, 2011 at 5:16 PM, Michael Nordman <michaeln at google.com> wrote:
>>>> A CORS based answer to this would work for the folks that have
>>>> expressed an interest in this capability to me.
>>>>
>>>> cc'ing some other appcache implementors too... any thoughts?
>>>
>>> CORS has the semantics of "you're allowed to make these types of
>>> requests to this resource, and you're allowed to read the response
>>> from such requests". This is very different from what is being
>>> requested here as I understand it?
>>>
>>> So either we'd need to add more headers to CORS, or come up with some
>>> other header-based solution I think.
>>>
>>> / Jonas
>>
>> Seems like CORS describes a protocol more than prescribes semantics?
>> Is it really necessary to build up another protocol. From the
>> abstract,
>> "Specifications that enable an API to make cross-origin requests to
>> resources can use the algorithms defined by this specification."
>
> As long as you don't confuse webauthors. I.e. if an author sends:
>
> access-control-allow-origin: *
>
> that *only* means that any site can read that response. I.e. that it
> doesn't come with any unrelated side effects such as cache pinning or
> the like.
>
> / Jonas
>

Received on Monday, 31 January 2011 14:57:11 UTC