[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Sandro Magi
naasking at higherlogics.com
Tue Jul 7 09:38:57 EDT 2009
Adam Barth wrote:
> If I understand this correctly, this optimized the original design by
> a factor of N (the number of requests the token is good for).
> Essentially, the browser has to contact acme.com every N requests.
> Unfortunately, Bob gets the same N-fold reduction in proxying by just
> proxying the N-powerful token instead of the data.
Yes, but note that Acme need not manage a single powerful token. It
could manage multiple use-limited tokens, and if some of them expire
more quickly than others, it can generate new ones and assign specific
tokens to specific clients to check for abuse, then blacklist those
clients [1]. Bob will quickly find himself shut down.
The point is, Acme has more control with tokens, and tokens solve more
than just this single case where the incentives just happen to be
aligned just right [2,3].
Sandro
[1] http://www.eros-os.org/pipermail/cap-talk/2009-June/012898.html
[2] http://www.eros-os.org/pipermail/cap-talk/2009-July/012974.html
[3] http://www.eros-os.org/pipermail/cap-talk/2009-July/012985.html
More information about the cap-talk
mailing list