- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 13 Sep 2012 14:16:00 +1000
- To: Jonathan A Rees <rees@mumble.net>
- Cc: www-tag@w3.org
On 11/09/2012, at 11:20 PM, Jonathan A Rees <rees@mumble.net> wrote: > 1. Mark Nottingham > "[cors] Review" > http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/0643.html > May 2009 > > There are about 40 messages in the response thread. I haven't gone to > the effort to check whether or how subsequent drafts (of which there > have been several) addressed Mark's points. That's one of many interactions I've had with them over the years about CORS. In a nutshell, it was designed with a particular use case in mind -- allowing individual resources to control access, rather than having origin-wide access control (despite many other mechanisms being site-wide, e.g., P3P, sitemaps.xml, robots.txt, and the origin security model itself). As a result, the design is quite convoluted, complex to implement, and very 'chatty' for some use cases. In discussion with some WG members, I think we came to a place where we agreed that having CORS move forward was sensible, since it's already implemented; perhaps CORS2 might be better one day (although that's undoubtedly going to take some time, if it ever happens). Cheers, -- Mark Nottingham http://www.mnot.net/
Received on Thursday, 13 September 2012 04:16:28 UTC