- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 09 Jul 2008 16:13:52 -0700
- To: Anne van Kesteren <annevk@opera.com>
- CC: WebApps WG <public-webapps@w3.org>
Anne van Kesteren wrote: > > On Wed, 09 Jul 2008 22:22:52 +0200, Jonas Sicking <jonas@sicking.cc> wrote: >> The name "Access-Control-Origin" is IMHO confusing. > > It's more or less identical to how it works for Web sockets. (Called > Websocket-Origin there.) If only we had the editor of that spec around... ;) >> Lastly, the 'URL' token http://dev.w3.org/2006/waf/access-control/#url >> should not be a full URL, and I don't think we want to depend on HTML5 >> for it either. Currently we seem to be allowing the syntax >> >> Access-Control-Origin: http://foo.com/bar/bin/baz.html >> >> which I think is very bad as it seems to indicate that only that page >> would be allowed to POST, which of course isn't something that we can >> enforce. > > This is exactly how postMessage() works and it seems nice to align with > that. I am very strongly against this syntax as it gives a false sense of security. To the point where I don't think I'd be willing to implement it in firefox. The fact that postMessage allows this sounds very unfortunate and something that I will look into fixing in that spec. I don't want to carry this mistake forward into Access-Control. >> Additionally, the way the spec was written before we could create a >> conformat implementation now without having to worry about HTML5 >> changing things under us. > > Well, in the end we want all those concepts implemented in the same way > everywhere, right? So I'm not sure how this matters. So why not let HTML5 refer to Access-Control? / Jonas
Received on Wednesday, 9 July 2008 23:14:57 UTC