On 5/10/10 10:21 PM, Nathan wrote:
2: Implement a user UI confirmation screen to allow JS applications xhr access to other origin resources. (Similar to the allow desktop notifications scenario in chromium)
Under what conditions would the typical user be able to make an informed decision here?
3: Standardise a way of having signed scripts that are trusted (like mozilla have implemented)
Mozilla is removing signed script support. It leads to too much complexity, is disabled by default for users anyway, etc.
Ideally, a long term shift towards global access unless denied by CORS would be an ideal solution (imo), typically corporate sys admin's will be a bit more up to speed when it comes implementing security features than joe public, and quite sure that a security bulletin + a bit of coverage around the web would get the information in to the right hands
You're being _way_ too optimistic about this. "corporate sys admins" are still using HTML blacklists in HTML filters on a routine basis, after years of education attempts...
Surely we can't be dependent on CORS indefinitely, perhaps some form of planned path as to how CORS might be phased out?
CORS is only needed if you want to perform actions cross-site with the user's credentials on the other site, right? For that use case, I would in fact expect us to depend on CORS indefinitely.
-Boris
