On Tue, Feb 17, 2015 at 6:46 PM, David Ascher <[email protected]> wrote: > When looking at that security model, a startup hoping to bootstrap something > like a flipboard clone (or ideally something like flipboard but with some > innovation), without the option of SystemXHR, will create a server which > proxies those requests, circumventing the CORS security model until they get > to the scale at which publishers a) might notice the server impact, and b) > will take their calls. And that, I suspect is fine for 99% of startups out > there. But it does mean that bootstrapping requires a server aspect to the > app, which then diminishes the strength of a pure-client model (and has > obvious privacy implications).
Yeah, so this is the problem I have with the systemXHR arguments. It presumes some kind of distribution of applications that is not the web itself. If my application is https://rssreader.example/ I already have a server and can do these things. Now I cannot do it entirely client-side and that is a drawback of sorts, but due to that users do get the caching and scale benefits, and sites being read also get the caching and scale benefits. There's arguably more privacy benefits for the user as the sites being read do not know about the user. They only know about the intermediary. Now if we think that hosting an application is too prohibitive we should offer something like https://{myapp}.mozillapp.example/ and to those developers we could also offer certain HTTP APIs, such as a "CORS proxy". That also ties in a bit with what we're doing already with Webmaker and allows for creating and distributing applications in a way that makes them not exclusive to Firefox OS. But instead makes them part of the web, by giving them a place on it. -- https://annevankesteren.nl/ _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
