Re: the discussion is over, resistance time

On Thu, 2009-07-02 at 19:19 -0500, Tab Atkins Jr. wrote:

> Unless I'm *completely* wrong (and I don't think I am, because Anne
> has been very assertive in correcting people about how same-origin and
> CORS works), you're wrong.

> Same-origin restrictions do not affect the server *at all*.  If a
> same-origin restriction is in effect, the *browser* enforces it,
> *after* receiving the resource from the server.

Very briefly:

  1 Introduction

  Server-side applications are enabled to discover
  that an HTTP request was deemed a cross-origin
  request by the user agent, through the Origin header.

  This extension enables server-side applications to
  enforce limitations on the cross-origin requests that
  they are willing to service.

CORS concedes the right of servers to not serve
up a given resource and constructs a system in which
conforming clients, which we presume most users will
use, help to streamline that process to the benefit
of both parties.


Received on Friday, 3 July 2009 00:34:20 UTC