On Thu, Dec 17, 2009 at 12:58 PM, Ian Hickson <i...@hixie.ch> wrote: > With CORS, I can trivially (one line in the .htaccess file for my site) > make sure that no sites can use XBL files from my site other than my > sites. My sites don't do any per-user tracking; doing that would involve > orders of magnitude more complexity. >
I was debating about one particular use case, and this one that you're talking about now is completely different. I can propose a different solution for this case, but I think someone will just change the use case again to make my new solution look silly, and we'll go in circles. > How can an origin voluntarily identify itself in an unspoofable fashion? > Without running scripts? > It can't. My point was that for simple non-security-related statistics gathering, spoofing is not a big concern. People can spoof browser UA strings but we still gather statistics on them. > I have no problem with offering a feature like UM in CORS. My objection is > to making the simple cases non-trivial, e.g. by never including Origin > headers in any requests. > Personally I'm not actually arguing against standardizing CORS. What I'm arguing is that UM is the natural solution for software designed in an object-oriented, loosely-coupled way. I'm also arguing that loosely-coupled object-oriented systems are more powerful and better for users.
