This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
http://enable-cors.org! I've heard a ton of interest from developers that want to integrate IDEs, tools, widgets, etc. with the web docs. webplatform's goal is to the be canonical docs for the web, we should allow people to access them any way they see fit.
Not sure if we serve on apache but this should do it.. <IfModule mod_headers.c> Header set Access-Control-Allow-Origin "*" </IfModule>
I worry about enabling this via apache for every request... We can do it via filematch (which we just did for fonts), and can do it for MediaWiki's api using this: http://www.mediawiki.org/wiki/Manual:$wgCrossSiteAJAXdomains I just enabled that as well.
There's info on security here: http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity ...there can be a perf overhead with the preflight request, but that it minimal. Is it possible to open it up to only /wiki/tutorial pages for starters? Also, if we go the route of whitelisting domains, how can folks add/suggest new ones?
More info here: http://monsur.hossa.in/2012/09/07/thoughts-on-the-cors-preflight-cache.html Monsur has done experiments with CORS. He says: "serving the header should not be costly at all i mean, you are adding, what, 30 bytes per request" The worry is that you open up an "API" for folks to use. However, there's also nothing top stop folks from iframing in our pages and creating extra load on the server. If the server load is worry, has there been any thought in allowing folks to request as page as JSON?...and only enable the CORs headers for those types of requests?
More info from Monsur: "honestly, i don't see it as being a big perf hit as long as devs play within the rules.. besides, if a dev is being malicious, they can find better ways that cors to do it (e.g. just write a script to hit the front page over and over)" At the very least, I'd like us to consider setting up a form or page where users can suggestion their domain if we go the whitelisting route.
Just found out that GET requests without simple headers (http://www.w3.org/TR/cors/#simple-header) don't incur preflight requests.