- From: Henry Story <henry.story@bblfish.net>
- Date: Fri, 1 Apr 2016 20:29:47 +0100
- To: Tim Berners-Lee <timbl@w3.org>
- Cc: Jonas Sicking <jonas@sicking.cc>, Mark Nottingham <mnot@mnot.net>, Public TAG List <www-tag@w3.org>
> On 1 Apr 2016, at 19:26, Tim Berners-Lee <timbl@w3.org> wrote: > >> >> On 2016-01 -21, at 01:24, Jonas Sicking <jonas@sicking.cc> wrote: >> >> On Mon, Jan 18, 2016 at 3:27 PM, Mark Nottingham <mnot@mnot.net> wrote: >>> ... or at least the motivations behind the decisions explained. It's pretty impenetrable now, and even security folks don't profess to know all of the details behind CORS any more. >> >> I'm bummed to hear that aspects of CORS is still confusing even to the >> TAG. This stuff likely needs to get documented someplace. I had hoped >> that it'd get documented in the spec, but maybe there's a better >> place? > > Perhaps the problems are that it is complicated, rather arbitrary, and not derived from general principles.. My guess is that to build this on general principles it would be useful to work with some form of modal logic, eg. doxastic logic [1]. Perhaps this has allready been done. We have a number of actors that are part of the protocol: a. the origin agent O b. the browser B c. the web server S d. the resource R The browser needs to tell the web server that a request is not coming from it, but that it is relaying the information from a JS actor named by the origin of the JS. So something like B is relaying that O wants access X to resource R. This could be formalised and then the reasons of the decisions might become clearer. It took me quite a lot of thinking before it became clear what some of the reasons for some of the decisions might be... Henry [1] https://en.wikipedia.org/wiki/Doxastic_logic
Received on Friday, 1 April 2016 19:30:19 UTC