Arthur Barstow wrote:
> Members of the Web Apps WG,
>
> Below is an email from Henry Thompson (forwarded with his permission),
> on behalf of the TAG [1], re the CORS spec [2].
>
> Two things:
>
> 1. Please respond to at least this part of Henry's mail:
>
> [[
> It appeared to us that a number of significant criticisms of the
> appropriateness of CORS have been submitted to the Working Group, from
> respected members of the Web Security community among others. These
> convinced us that there is a real possibility either that server-side
> deployment won't happen, or that even if it did the new functionality
> provided would, on the one hand, be insufficiently secure while, on the
> other, discouraging the provision of something more satisfactory.
> ]]
>
> 2. For those that have been active in defining the CORS model and/or
> CORS implementers - particularly Adam, Anne, Jonas, Hixie, Maciej, IE
> guys (whomever replaced Sunava) - please indicate:
>
> a) their level of interest in continuing to push the current CORS model;
I've documented what Firefox 3.5 will do here:
https://developer.mozilla.org/En/HTTP_access_controlAlso see:
https://developer.mozilla.org/En/Server-Side_Access_ControlNow, note that this documentation is dated (it still uses the term
"Access Control" which should change). But it is a reflection of what
will go live in Fx3.5 (Jonas has already commented on redirects on
preflighted requests, which won't be supported).
A simple test of Fx 3.5 functionality might be:
http://arunranga.com/examples/access-control/We continue to have discussion about the "number of significant
criticisms." I'm keen to see this result in tangible proposals.
>
> b) their implementation plans for CORS.
See above (and see email from Jonas Sicking).
-- A*
