On Thu, May 13, 2010 at 6:39 AM, Arthur Barstow art.bars...@nokia.com wrote:
On May 12, 2010, at 2:42 PM, ext Jonas Sicking wrote:
If so, I'd really like to see the chairs move forward with making the
WG make some sort of formal decision on weather CORS should be
published or not. Repeating the same discussion over and over is not
good use your time or mine.
There is sufficient interest in CORS such that we should continue to work on
it. As such, I don't think any type of formal decision re publication is
needed.
Although this and other recent and related threads have indeed re-hashed
some previous discussions, among some of the suggestions made are:
* CORS' security considerations section needs improvements
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0625.html
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0630.html
* Need security analysis e.g. with multi-party deployments; test the
security properties of CORS (e.g. versus UMP)
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0645.html
* Need usage informatin for the app developer and server admin; when is CORS
safe to use; which is easier to use; guidelines for not falling prey to
attacks with CORS
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0543.html
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0646.html
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0648.html
* CORS needs text about Confused Deputy
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0612.html
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0648.html
Is anyone willing to contribute to the above?
I will happily contribute to this and to whatever work is necessary to
merge UMP
and CORS into a single spec (plus additional non-normative documents),
if that's helpful.
-- Dirk
