[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Adam Barth
cap-talk at adambarth.com
Fri Jun 26 03:52:06 EDT 2009
On Fri, Jun 26, 2009 at 12:38 AM, Mark Miller<erights at gmail.com> wrote:
> I'm not sure either. Toby may not be. Adam is here in this conversation and
> can clarify. How better to understand what he's saying than to speculate on
> what he seems to be saying and ask if we've got it right?
Here's what I said:
[[
How exactly do you envision secret tokens working? Suppose Google
Finance wants to let Acme Finance XHR for stock ticker information.
How does Acme Finance get the secret tokens? Presumably Acme has to
use a fresh token for each request so that Bob's Finance can't just
grab Acme's token from their home page. Now, for each request, Acme
Finance has to contact Google Finance on the backend and get a token.
Sounds like a pain.
]]
What I meant by "sounds like a pain" is in this strawman design, ACME
has to make a network request from the browser to acme.com and from
acme.com to finance.google.com for each request it wants to make from
the client to finance.google.com. That seems counter productive
because ACME might as well just proxy the stock ticker data at that
point.
It's entirely possible there's a better design that doesn't involve as
many requests. I was just asking what that design is. It's hard to
evaluate whether X proposal is better than Y proposal without
understanding how X and Y handle the basic use cases of the feature.
I didn't mean this as a "challenge." I figured you already knew the
answer since you've be advocating for this alternative design for a
while.
Adam
More information about the cap-talk
mailing list