On Tue, 22 Dec 2009 02:48:42 +0100, Kenton Varda <[email protected]> wrote:
It *is* a problem today with XMLHttpRequest. This is, for example, one
reason why we cannot host arbitrary HTML documents uploaded by users on
google.com -- a rather large inconvenience! If it were feasible, we'd be
arguing for removing this ability from XMLHttpRequest. However,
removing a feature that exists is generally not possible; better to
avoid adding it in the first place.
There are plenty of other features that already make that impossible.
With CORS, the problems would be worse, because now you not only have to
ensure that your own server is trust-worthy and free of CSRF, but also
the servers of everyone you allow to access your resource. Problems are
likely to multiply exponentially.
Isn't this also true for the non-CORS solution? A secret token can be
stolen as well.
I'm personally not really married to either approach, but it is still not
clear to me how to me how can make us of UM to address the use cases CORS
has. And for the cases where UM can replace it it appears to be much more
complicated, which I do not think is a good sign if we expect authors to
make mistakes.
I tried to clarify the use cases for CORS here (if more detail is needed
please let me know):
http://dev.w3.org/2006/waf/access-control/#use-cases
It would be nice to have sufficient detail on how each of these would work
with UM so we can evaluate things better.
--
Anne van Kesteren
http://annevankesteren.nl/
