[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Adam Barth
cap-talk at adambarth.com
Fri Jun 26 11:29:32 EDT 2009
On Fri, Jun 26, 2009 at 1:36 AM, Toby Murray<toby.murray at comlab.ox.ac.uk> wrote:
> Right. So proxying (which was raised as one potential solution in this
> thread) is out. As David Wagner pointed out (amongst others) all
> alternative approaches require the cooperation of finance.google.com .
CORS also requires finance.google.com to participate. The server
needs to opt-in to having its resources shared.
> One proposal (I think independently from Ihab and David Chizmadia) was
> that the acme webserver makes a single request to google at the start of
> each user's session with acme to obtain a token for that user. This
> requires that acme supports some notion of user sessions, however. I
> expect your example doesn't want to make this assumption from other
> things you've said in this thread.
How does this help? Bob will just get the token from his account at
Acme and now all the visitors to Bob's Finance will get Google Finance
stock data.
> Another proposal (from Sandro Magi) was for finance.google.com to
> support some kind of API in which a secret token issued to each visitor
> to acme is then passed to finance.google.com (via an XHR in the user's
> browser). In response google issues each of acme's visitors a token
> (which perhaps expires after a certain amount of time or is otherwise
> attenuted in some way) that the user can then use to make XHR requests
> to google to fetch stock prices.
You still haven't explained how this stops transplantation of the
token from Bob's browser to finance.bob.com.
> David Wagner also suggested negotiating a shared key between acme and
> google. Acme uses this shared key to construct tokens that can be
> recognised and authenticated by Google.
This seems workable if the tokens are single-use.
> Now that some proposals are on the table, how would you say they compare
> to the Origin: approach (either generally, or for this particular
> example)?
Here's the CORS approach:
When Google Finance receives a request for
http://finance.google.com/api/stockticker/MSFT:
1) Let /requesting origin/ be the value of the /Origin/ header.
2) If /requesting origin/ is a member of the /authorized origins/
white list, then:
A) Append the Access-Control-Allow-Origin header to the response
with the value /requesting origin/
3) Append the header Vary: Origin to the response. (You can also use
Expires or Cache-Control here for a similar effect.)
Adam
More information about the cap-talk
mailing list