Boris Zbarsky wrote:
On 5/11/10 1:10 AM, Nathan wrote:
[!snip]
Boris, all,
I honestly don't have the solutions (as you can easily see) - what I can
see is that with CORS as it stands, and with same origin rules, then the
web is about as safe as it can get from xss, which is crucial. This
won't change, and after 5 years of WIP and wide deployment it most
likely can't change.
I can also see a situation ahead [1] where the both safety and openness
need to be addressed at the same time - but that's probably years off
for the general web population & may well require accountability / web
of trust etc.
Thus, dropped for now - I have to adopt anyway so may as well do it asap
and encourage others the same (esp once it hits recommendation).
One request though, does anybody have a chart or note of UA support for
CORS? (even partial definitely doesn't work in x,y,z)
[1] http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0553.html
Best,
Nathan