Arthur Barstow wrote:
Members of the Web Apps WG,
Below is an email from Henry Thompson (forwarded with his permission),
on behalf of the TAG [1], re the CORS spec [2].
Two things:
1. Please respond to at least this part of Henry's mail:
[[
It appeared to us that a number of significant criticisms of the
appropriateness of CORS have been submitted to the Working Group, from
respected members of the Web Security community among others. These
convinced us that there is a real possibility either that server-side
deployment won't happen, or that even if it did the new functionality
provided would, on the one hand, be insufficiently secure while, on the
other, discouraging the provision of something more satisfactory.
]]
2. For those that have been active in defining the CORS model and/or
CORS implementers - particularly Adam, Anne, Jonas, Hixie, Maciej, IE
guys (whomever replaced Sunava) - please indicate:
a) their level of interest in continuing to push the current CORS model;
I've documented what Firefox 3.5 will do here:
https://developer.mozilla.org/En/HTTP_access_control
Also see:
https://developer.mozilla.org/En/Server-Side_Access_Control
Now, note that this documentation is dated (it still uses the term
"Access Control" which should change). But it is a reflection of what
will go live in Fx3.5 (Jonas has already commented on redirects on
preflighted requests, which won't be supported).
A simple test of Fx 3.5 functionality might be:
http://arunranga.com/examples/access-control/
We continue to have discussion about the "number of significant
criticisms." I'm keen to see this result in tangible proposals.
b) their implementation plans for CORS.
See above (and see email from Jonas Sicking).
-- A*
