[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
cap-talk at adambarth.com
Tue Jul 7 12:07:27 EDT 2009
On Tue, Jul 7, 2009 at 8:39 AM, Karp, Alan H<alan.karp at hp.com> wrote:
> Thanks for your patience. Just one last note to make sure I understand. Code running on a page in the browser cannot set the Origin header, only the browser can do that. Bob's Finance could deliver to the user an application that does not run in the browser, but Acme Finance would still have a competitive advantage.
If Bob can run an application outside of the browser, there's nothing
the browser can do to help. As I've stated several times on this
thread: CORS is only bridging barriers erected by the browser. If you
aren't subject to the browser's restrictions, there's nothing we can
write in the spec that will help.
> The threat is not that Bob's Finance will use the Acme Finance account, as I and I think others were assuming. The threat is that there is some way that Acme Finance will lose the competitive advantage that comes from having an account with Google Finance.
More information about the cap-talk