- From: <bugzilla@jessica.w3.org>
- Date: Fri, 21 Jan 2011 19:07:57 +0000
- To: public-webapps@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=11835
Summary: Please do *not* require a same-origin restriction in
user agents (as currently specified under "Security
Considerations")! This cross-origin data leakage
security issues have already been addressed by the
CORS specification (http://www.w3.org/TR/cors/).
Product: WebAppsWG
Version: unspecified
Platform: Other
URL: http://www.whatwg.org/specs/web-apps/current-work/#top
OS/Version: other
Status: NEW
Severity: normal
Priority: P3
Component: Server-Sent Events (editor: Ian Hickson)
AssignedTo: ian@hixie.ch
ReportedBy: contributor@whatwg.org
QAContact: member-webapi-cvs@w3.org
CC: mike@w3.org, public-webapps@w3.org
Specification: http://dev.w3.org/html5/eventsource/
Section: http://www.whatwg.org/specs/web-apps/current-work/complete.html#top
Comment:
Please do *not* require a same-origin restriction in user agents (as currently
specified under "Security Considerations")! This cross-origin data leakage
security issues have already been addressed by the CORS specification
(http://www.w3.org/TR/cors/). EventSource should simply adopt the policies
outlined there.
I consider this a critical flaw, as cross-domain requests are essential to
working around useragent connection limits. Unless this is addressed,
developers will simply ignore native useragent implementations and write their
own, XHR+CORS-based, APIs (as they're already doing.) This spec will be
nothing more than tepid inspiration for those 3rd-party solutions, and ignored
otherwise.
Posted from: 66.220.144.74
--
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Received on Friday, 21 January 2011 19:07:59 UTC