[cap-talk] Open Review of the CORS Specification

Doug Schepers schepers at w3.org
Mon Oct 12 18:12:55 PDT 2009 

Hi, Folks-

Please allow me to introduce myself: I'm the W3C Team Contact for the 
WebApps Working group, which is developing the Cross-Origin Resource 
Sharing (CORS) specification (with which some of you are familiar).

It seems that there was some confusion about the details for reviewing 
that specification, and specifically about the openness of the process. 
  I posted a response which Mark Miller asked me to make public, 
suggesting that I post it to this list.  (Thanks, Mark, for the suggestion.)

To summarize:

There were concerns that the CORS spec might not satisfy all the related 
security issues; this is true, but we do believe that it solves a useful 
set of cases, and doesn't introduce additional risk.

I suggested that making a diagram of the contextual architecture, with 
considerations for potential attack vectors, might help everyone discuss 
the spec (and related matters) with less confusion, and I've volunteered 
to help create that diagram.

As with all the WebApps WG specs (and those of most of W3C at this point)...

1) CORS is available for review in both its Working Draft [1] and 
Editor's Draft [2] forms at all times by all people

2) We welcome technical review by anyone, with particular interest in 
feedback from security experts, and response to such feedback will be 
based on technical merit, not on whether a person is a member of the 
WebApps WG (nor even a Member of W3C)

3) The public WebApps WG list, public-webapps at w3.org, is where we do all 
our technical work, and everyone is free to read or post to that list

4) If the volume of email on that list is so great as to introduce a 
barrier to participation, we can discuss creating a dedicated mailing 
list for CORS

5) We would consider adding an editor to the CORS spec if it's shown 
that the current editor is not responsive to constructive technical 
argument, and if a suitable editor can be found (though I think the 
current editor is doing a pretty good job)

6) To reiterate: nobody who wants to contribute to the CORS 
specification has to join the WebApps WG.


Obviously, we'd love it if companies were to join W3C to participate... 
that's what pays our bills (and my salary), and I believe it's a worthy 
cause (er... the cause being an open forum for development of specs, not 
just my salary), but it's not a prerequisite for active review and 
contribution (though the IPR of contributions is more clear for W3C 
Members, which is another reason we encourage it).

We've put a lot of energy in the last few years in making W3C an open 
forum for discussion, debate, and decisions on Web technologies, because 
we think it's the right thing for the Web, and it helps our core mission.

If anyone has any questions or concerns about any of this, let me know. 
  I hope to get thorough review of th CORS spec, because I think it will 
really help move the Web forward, but we need to make sure it's done 
right and meets the needs of the appropriate stakeholders.

[1] http://www.w3.org/TR/cors/
[2] http://dev.w3.org/2006/waf/access-control/

Regards-
-Doug Schepers
W3C Team Contact, SVG and WebApps WGs

More information about the cap-talk mailing list