On Wed, 12 May 2010 22:18:54 +0200, Jonas Sicking jo...@sicking.cc wrote:
I don't think that is needed. If I understand it correctly, your
concern is as follows:
Hmm yeah... What about simplifying XMLHttpRequest though by removing
withCredentials? I think that would be a quite a good
On May 6, 2010, at 5:30 PM, Anne van Kesteren wrote:
Here is a brief proposal for how we could simplify the current set of CORS
headers. We can use this thread to evaluate whether it is worth breaking with
what Firefox, Safari, Chrome, and IE are doing now. And whether all parties
are
What does WebSQLDatabase do? I believe the version parameter was based on
that spec.
J
On Wed, May 12, 2010 at 7:02 PM, Shawn Wilsher sdwi...@mozilla.com wrote:
Hey all,
A recent concern that we have come across at Mozilla is what happens when
the version changes? Do we silently continue
On 12.05.2010 22:39, Nathan wrote:
Devdatta wrote:
As for the should CORS exist discussion, I'll bow out of those until
we're starting to move towards officially adopting a WG decision one
way or another, or genuinely new information is provided which would
affect such a decision (for the
On May 13, 2010, at 3:05 AM, Julian Reschke wrote:
On 12.05.2010 22:39, Nathan wrote:
Devdatta wrote:
As for the should CORS exist discussion, I'll bow out of those until
we're starting to move towards officially adopting a WG decision one
way or another, or genuinely new information is
Maciej Stachowiak wrote:
On May 13, 2010, at 3:05 AM, Julian Reschke wrote:
On 12.05.2010 22:39, Nathan wrote:
Devdatta wrote:
As for the should CORS exist discussion, I'll bow out of those until
we're starting to move towards officially adopting a WG decision one
way or another, or
Greetings WebApps WG,
I have updated the editor's draft of the File API to reflect changes
that have been in discussion.
http://dev.w3.org/2006/webapi/FileAPI
Notably:
1. Blobs now allow further binary data operations by exposing an
ArrayBuffer property that represents the Blob.
On May 12, 2010, at 2:42 PM, ext Jonas Sicking wrote:
If so, I'd really like to see the chairs move forward with making the
WG make some sort of formal decision on weather CORS should be
published or not. Repeating the same discussion over and over is not
good use your time or mine.
There is
If you search archives you will find a discussion on versioning and that we
gave up on doing version management inside the browser and instead leave it to
applications to do their own versioning and upgrades.
Nikunj
On May 12, 2010, at 11:02 AM, Shawn Wilsher wrote:
Hey all,
A recent
On 5/13/10 7:37 AM, David Levin wrote:
On Thu, May 13, 2010 at 5:27 AM, Arun Ranganathana...@mozilla.com wrote:
Greetings WebApps WG,
I have updated the editor's draft of the File API to reflect changes that
have been in discussion.
http://dev.w3.org/2006/webapi/FileAPI
Notably:
1.
On 5/13/10 7:37 AM, David Levin wrote:
On Thu, May 13, 2010 at 5:27 AM, Arun Ranganathana...@mozilla.com wrote:
Greetings WebApps WG,
I have updated the editor's draft of the File API to reflect changes that
have been in discussion.
http://dev.w3.org/2006/webapi/FileAPI
Notably:
1.
On Wed, May 12, 2010 at 10:02 PM, Ian Hickson i...@hixie.ch wrote:
On Wed, 12 May 2010, Tyler Close wrote:
So HTML is not vulnerable to Cross-Site Scripting, C++ is not vulnerable
to buffer overflows and so CORS is not vulnerable to Confused Deputy.
Correct.
As explained above, CORS
On 12 May 2010 17:54, Marcin Hanclik marcin.hanc...@access-company.comwrote:
Hi Nathan,
This seems to be the current related standardization effort:
http://bondidev.omtp.org/1.5/crypto.html
=
http://bondi01.obe.access-company.com/1_5_5602_145/crypto.html
I find it slightly worrying that
On Wed, May 12, 2010 at 10:24 PM, Marcin Hanclik
marcin.hanc...@access-company.com wrote:
Hi Nathan,
This seems to be the current related standardization effort:
http://bondidev.omtp.org/1.5/crypto.html
=
http://bondi01.obe.access-company.com/1_5_5602_145/crypto.html
I think the OP request
Vivek Khurana wrote:
On Wed, May 12, 2010 at 10:24 PM, Marcin Hanclik
marcin.hanc...@access-company.com wrote:
Hi Nathan,
This seems to be the current related standardization effort:
http://bondidev.omtp.org/1.5/crypto.html
=
http://bondi01.obe.access-company.com/1_5_5602_145/crypto.html
I
On 5/13/2010 7:51 AM, Nikunj Mehta wrote:
If you search archives you will find a discussion on versioning and that we
gave up on doing version management inside the browser and instead leave it to
applications to do their own versioning and upgrades.
Right, I'm not saying we should manage it,
On Wed, May 12, 2010 at 6:41 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Wed, May 12, 2010 at 5:36 PM, Dirk Pranke dpra...@chromium.org wrote:
On Wed, May 12, 2010 at 5:15 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Wed, May 12, 2010 at 5:07 PM, Adam Barth w...@adambarth.com wrote:
On
On Thu, May 13, 2010 at 6:39 AM, Arthur Barstow art.bars...@nokia.com wrote:
On May 12, 2010, at 2:42 PM, ext Jonas Sicking wrote:
If so, I'd really like to see the chairs move forward with making the
WG make some sort of formal decision on weather CORS should be
published or not. Repeating
Hi Ian,
On May 13, 2010, at 1:02 AM, Ian Hickson wrote:
On Wed, 12 May 2010, Tyler Close wrote:
[...]
You are using the word vulnerable in a manner inconsistent with its
meaning in the Web standards community.
I think the specific vulnerability is that a server is vulnerable to a
On 13 May 2010, at 13:27, Arun Ranganathan wrote:
Greetings WebApps WG,
I have updated the editor's draft of the File API to reflect changes that
have been in discussion.
http://dev.w3.org/2006/webapi/FileAPI
Notably:
1. Blobs now allow further binary data operations by exposing an
On Wed, May 12, 2010 at 10:02 PM, Ian Hickson i...@hixie.ch wrote:
On Wed, 12 May 2010, Tyler Close wrote:
So HTML is not vulnerable to Cross-Site Scripting, C++ is not vulnerable
to buffer overflows and so CORS is not vulnerable to Confused Deputy.
Correct.
As some (at least me) might be
On Thu, May 13, 2010 at 1:50 PM, J Ross Nicoll j...@jrn.me.uk wrote:
On 13 May 2010, at 13:27, Arun Ranganathan wrote:
Greetings WebApps WG,
I have updated the editor's draft of the File API to reflect changes that
have been in discussion.
http://dev.w3.org/2006/webapi/FileAPI
Notably:
On Thu, May 13, 2010 at 12:05 AM, Anne van Kesteren ann...@opera.com wrote:
On Wed, 12 May 2010 22:18:54 +0200, Jonas Sicking jo...@sicking.cc wrote:
I don't think that is needed. If I understand it correctly, your
concern is as follows:
Hmm yeah... What about simplifying XMLHttpRequest
On 5/13/10 1:50 PM, J Ross Nicoll wrote:
On 13 May 2010, at 13:27, Arun Ranganathan wrote:
Greetings WebApps WG,
I have updated the editor's draft of the File API to reflect changes that have
been in discussion.
http://dev.w3.org/2006/webapi/FileAPI
Notably:
1. Blobs now allow further
Doug,
do you think we should create a new list and move this discussion
there? Or should we use one of the existing i18n lists?
If we do move this discussion off the webapps list, we may lose some
audience/expertise...
If nobody objects, we (Google) would like to take this discussion to
I mentioned earlier that I would attempt to provide a concrete use
case for CORS. Here it is; I suggest that this text be used as a basis
for part of the security considerations section of the spec.
If my example and the analysis is incorrect, or if this is not in fact
an intended use case for
On Thu, May 13, 2010 at 6:13 PM, Maciej Stachowiak m...@apple.com wrote:
On May 13, 2010, at 5:37 PM, Dirk Pranke wrote:
One could also observe that with the naive implementation of the CORS
API, *any* site could trivially fetch the user's portfolio data, which
is presumably not desirable,
On Thu, May 13, 2010 at 6:40 PM, Dirk Pranke dpra...@chromium.org wrote:
On Thu, May 13, 2010 at 6:13 PM, Maciej Stachowiak m...@apple.com wrote:
I think a more likely use case for CORS does not involve embedded gadgets at
all. Consider the example of a social network asking for access to your
On Thu, 13 May 2010, Dirk Pranke wrote:
The initial, insecure CORS solution is straightforward ... a gadget
running on My Yahoo! sends an XHR with the users' credentials to
http://finance.yahoo.com/api/v1/my_portfolio; and gets some JSON back.
If I understand this right, you are saying
Glad to hear that you didn't intend sync access :-)
Can you define the contentType parameter to slice better? Is that intended
to correspond to the value of a HTTP Content-Type response header? For
example, can the contentType value include a charset attribute? It might be
useful to indicate
30 matches
Mail list logo