On Oct 13, 2009, at 1:49 AM, ext Adam Barth wrote:
If this is not access control, I must ask: what do you mean by
"access control"?
I'm not sure the abstract question of whether CORS is an access
control system is that meaningful. We should concentrate on the
following questions:
1) Does CORS introduce security vulnerabilities into legacy servers
that are unaware of the CORS protocol?
2) How well does CORS support the simple use cases of cross-origin
resource sharing?
3) Does CORS prevent sophisticated developers from implementing
advanced uses cases?
Do you find CORS problematic for any of the above questions? Do you
think we should be concerned with other questions?
Agree these are the right questions. Thanks Adam.
I noticed "access control" doesn't even occur in the spec any more
except for the document's shortname of "access-control" and we may
change that name when the doc is next published.
-Regards, Art Barstow
