w3.org
 » 
w3.org - public-webapps

CORS: email from Henry Thompson re "CORS still not getting to closure"

View: New views
2 Messages — Rating Filter:   Alert me  

Parent Message unknown CORS: email from Henry Thompson re "CORS still not getting to closure"

by Arthur Barstow :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Below is an email from Henry Thompson re CORS that I am forwarding  
with HT's permission.

-Regards, Art Barstow

Begin forwarded message:

> From: "ext Henry S. Thompson" <ht@...>
> Date: October 22, 2009 2:18:55 PM EDT
> To: "Barstow Art (Nokia-CIC/Boston)" <Art.Barstow@...>
> Subject: CORS still not getting to closure
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I have just replied [1] to a message from Anne agreeing that, with
> respect to one of the threads that arose from your original forwarding
> of the TAG concerns about CORS [2], namely the importance of server-
> vs. client-side implementation, an issue can be closed.
>
> However, [2] raised _two_ concerns, and the second
>
>   there is a real possibility either that the new functionality
>   provided would, on the one hand, be insufficiently secure while, on
>   the other, discouraging the provision of something more
>   satisfactory.
>
> The most recent thread in the archives dealing with this was started
> by Mark Miller [3].  It does not seem to me that his concern, which
> is stated quite clearly:
>
>   The core criticism that several of us have raised about CORS has
>   never been addressed -- that it creates further confused deputy
>   problems.
>
> is reflected as an official issue in your issues list, or that it has
> in fact been resolved (i.e. that the WG has reached consensus on how
> to respond to it).  I'm asking you as Chair to please ensure that this
> gets into your process formally before you get to Last Call.
>
> Thanks,
>
> ht
>
> [1] http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/ 
> 0304.html
> [2] http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/ 
> 1215.html
> [3] http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/ 
> 0102.html
> - --
>        Henry S. Thompson, School of Informatics, University of  
> Edinburgh
>                          Half-time member of W3C Team
>       10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131  
> 650-4440
>                 Fax: (44) 131 651-1426, e-mail: ht@...
>                        URL: http://www.ltg.ed.ac.uk/~ht/
> [mail really from me _always_ has this .sig -- mail without it is  
> forged spam]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFK4KIPkjnJixAXWBoRAmvGAJ0ZE58mX7ICKMQTZh0QZYePf5MhNwCfWiJd
> kyfdoIKF73HkTxyBhUn2Tws=
> =B4YF
> -----END PGP SIGNATURE-----



[CORS] ISSUE-108: confused deputy problem

by Arthur Barstow :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

For those that may have missed it, during the November 2 CORS  
discussion, Issue-108 was created to capture the TAG's concern as  
articulated by Henry below:

  http://www.w3.org/2008/webapps/track/issues/108

-Regards, Art Barstow

[1] http://www.w3.org/2009/11/02-webapps-minutes.html#item03


On Oct 23, 2009, at 6:13 AM, Barstow Art (Nokia-CIC/Boston) wrote:

> Below is an email from Henry Thompson re CORS that I am forwarding
> with HT's permission.
>
> -Regards, Art Barstow
>
> Begin forwarded message:
>
>> From: "ext Henry S. Thompson" <ht@...>
>> Date: October 22, 2009 2:18:55 PM EDT
>> To: "Barstow Art (Nokia-CIC/Boston)" <Art.Barstow@...>
>> Subject: CORS still not getting to closure
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I have just replied [1] to a message from Anne agreeing that, with
>> respect to one of the threads that arose from your original  
>> forwarding
>> of the TAG concerns about CORS [2], namely the importance of server-
>> vs. client-side implementation, an issue can be closed.
>>
>> However, [2] raised _two_ concerns, and the second
>>
>>   there is a real possibility either that the new functionality
>>   provided would, on the one hand, be insufficiently secure while, on
>>   the other, discouraging the provision of something more
>>   satisfactory.
>>
>> The most recent thread in the archives dealing with this was started
>> by Mark Miller [3].  It does not seem to me that his concern, which
>> is stated quite clearly:
>>
>>   The core criticism that several of us have raised about CORS has
>>   never been addressed -- that it creates further confused deputy
>>   problems.
>>
>> is reflected as an official issue in your issues list, or that it has
>> in fact been resolved (i.e. that the WG has reached consensus on how
>> to respond to it).  I'm asking you as Chair to please ensure that  
>> this
>> gets into your process formally before you get to Last Call.
>>
>> Thanks,
>>
>> ht
>>
>> [1] http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/
>> 0304.html
>> [2] http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/
>> 1215.html
>> [3] http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/
>> 0102.html
>> - --
>>        Henry S. Thompson, School of Informatics, University of
>> Edinburgh
>>                          Half-time member of W3C Team
>>       10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131
>> 650-4440
>>                 Fax: (44) 131 651-1426, e-mail: ht@...
>>                        URL: http://www.ltg.ed.ac.uk/~ht/
>> [mail really from me _always_ has this .sig -- mail without it is
>> forged spam]
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.6 (GNU/Linux)
>>
>> iD8DBQFK4KIPkjnJixAXWBoRAmvGAJ0ZE58mX7ICKMQTZh0QZYePf5MhNwCfWiJd
>> kyfdoIKF73HkTxyBhUn2Tws=
>> =B4YF
>> -----END PGP SIGNATURE-----
>
>


Free embeddable forum powered by Nabble Forum Help