Hi Tyler,
On Nov 5, 2009, at 5:48 PM, Tyler Close wrote:
Closing remark:
In another thread, you've written "I do think that a way to do an
anonymous XHR is justified", so I don't know how much sense it makes
to continue this thread. You put so much effort into this email that I
felt I owed you a response.
Let me make sure I understand your position and overall goal in this
discussion. Is it:
A) An API to do anonymous XHR (such as GuestXHR) should be provided
*AND* CORS should be abandoned (and perhaps removed from
implementations shipping it.
OR:
B) An API to do anonymous XHR (such as GuestXHR) should be added, but
you can live with CORS continuing to exist.
I thought your position was (A). If it is in fact (B), then perhaps we
have all invested more energy than necessary in this debate, because I
don't think (B) is especially controversial. But if your position is
(A), then the statement you quoted wasn't meant to agree with that
position (in case it wasn't clear).
That being said, I feel the input from you and Mark and the ensuing
discussion has helped the Working Group get a better understanding of
the security issues in this area, and I believe it will help us make a
high-quality Security Considerations section. So if you have further
replies in mind that would help inform the conversation, then please
feel encouraged to send them.
Regards,
Maciej
