CORS
Cross-Origin Resource Sharing: CORS and Uniform Messaging Policy
- Latest Working Draft: Working Draft 2009-03-17
- See also: Latest Editor's Draft
Alternate proposal:
- Uniform Messaging Policy (proposed by Tyler Close, Mark S Miller)
Abstract
This document defines a mechanism to enable client-side cross-origin requests. Specifications that enable an API to make cross-origin requests to resources can use the algorithms defined by this specification. If such an API is used on http://example.org resources, a resource on http://hello-world.example can opt in using the mechanism described by this specification (e.g., specifying Access-Control-Allow-Origin: http://example.org as response header), which would allow that resource to be fetched cross-origin from http://example.org.
Notes
There is an ongoing discussion about confused deputy problems in CORS:
- Maciej's slides from TPAC
- Response to the challenge in Maciej's slides
- @@ does anybody have a link to the minutes of the TPAC session on CORS?