On Fri, Oct 23, 2009 at 5:29 PM, Doug Schepers <schep...@w3.org> wrote: > That's an interesting point... if the proponents or opponents of CORS did > more testing and modeling, would that satisfy concerns? Surely it couldn't > be hard to set up a few common model architectures using CORS and announce > them as targets for the white hat community? > > Mind you, I'm not stating one way or the other that this should be part of > the exit criteria for CORS, just that it would be helpful overall, and > frankly, if it hasn't been tried, I'm a little surprised... isn't this > *exactly* the sort of thing Google, MS, the browser vendors, and the > security community at large have the resources and expertise to do, as well > as the incentive? Can a brother get a honeypot?
This issues that Mark and co raise are not really the kinds of things one can evaluate with a honeypot-type contest. They're worried about what web developers will build if we give them CORS as a tool. Adam