Re: fyi: Cross-Origin Resource Embedding Restrictions

On 3/1/2011 2:06 PM, Jonathan Rees wrote:
> Until now the browser has been a user-agent, acting on
> the user's behalf. This is true even when CORS is added. If I
> understand it correctly, this proposal enlists the browser as a
> server-agent as well, rather like DRM.

That's an interesting point, but I don't think the history is quite as 
clear as you imply. In many traditional Web interaction scenarios, the 
server depends, at least to some degree, on the correctness and good faith 
of the client. For example, is it really only the user who cares that 
certificates are checked when https-scheme URIs are derferenced? Clearly, 
any sufficiently knowledgeable user would care, but so might my bank, which 
might otherwise be somewhat more vulernable to man-in-the-middle attacks, I 
think. In that case, I think both the use and (the application at) the 
server care.

Noah

Received on Tuesday, 1 March 2011 19:37:33 UTC