Ian Hickson wrote:
On Wed, 12 May 2010, Tyler Close wrote:
We've gone through several scenarios on this list where this validation
is not feasible. On the chromium list, I recently explained how it is
not possible to implement a generic AtomPub client that does this
validation:
http://groups.google.com/a/chromium.org/group/chromium-dev/msg/afda9a4d1d1a4fcb
I don't think using AtomPub is necessarily a good idea. AtomPub was not
designed for use with CORS. If you're going to use technologies
inappropriately then sure, you'll have security problems.
but you can't use any RESTful with CORS because it strips Location,
Content-Location etc
Perfectly secure to have /admin/ accessing /data/ or HTTP through to
HTTPS for POST etc
I agree CORS is needed, but the imho the UMP headers [1] really needed
added (if not just the Uniform-Headers
[1] http://dev.w3.org/2006/waf/UMP/#response-header-filtering
Best,
Nathan
