Am 16.11.2010 19:12 schrieb Tab Atkins Jr.:
On Tue, Nov 16, 2010 at 10:06 AM, Boris Zbarsky<[email protected]> wrote:
On 11/16/10 12:56 PM, Tab Atkins Jr. wrote:
- it is applicable at the client side without scripting
This is not possible, for the simple reason that the whole point of
CORS is to protect server resources. If you could deal with CORS
purely on the client side, you'd be allowing the page author to
determine if they themself are allowed to access a file on another
server. That's a pretty obvious inversion of responsibility. ^_^
Well, more precisely there is nothing that needs to be done on the client
side for CORS, right?
Ah, if that's what Markus was getting at, then yes. CORS requires
*zero* work on the client side, since it's completely done in the
server-browser interaction. The entirety of the client's interaction
in the process is the initial request for a resource.
That is great news. Adding a header via a server-side script is indeed
easy enough.
(As I did not find any HTML attributes or whatever in the CORS spec, I
was afraid that the use of XHR would be necessary to call a cross-origin
page in an Iframe - which looked like a huge overhead and also an
accessibility issue to me.)
