CORS considered harmful

2011-02-02 @ 11:13#

Update:comments are back!

well, i'm proly gonna catch some crap for this rant, but here goes..

an interesting 'discussion' started on the intar-webs today regarding the CORS model. here are the two posts that started the buzz:

I don't think the distinction between "embedding" and "reading" was a conscious design decision. It seems that when <img>, <script> and <style> first appeared, cross-origin loads were allowed because no-one had thought of the problems that would arise. Then when APIs emerged that allowed reading the full resource data (e.g. XHR and getImageData), we realized we couldn't allow that cross-origin, but we couldn't break compatibility with cross-origin embedding, so we were forced to distinguish between embedding and reading.

Distinguishing "Embeddable" Versus "Readable" Web Resources Considered Harmful

Robert O'Callahan dislikes the way web architecture has evolved and proposes that for everything new we do things slightly differently. He argues that the current complexity is hard to understand and that therefore we should have a different approach for everything new, starting with fonts. I think this is a bad idea and have said so in the past. For better or worse, all APIs within the web platform work on the principle that embedding cross-origin resources is okay, and reading cross-origin resources is not.

Breaking Web Platform Consistency Considered Harmful

the wrong argument

while the discussion is interesting, it's the wrong discussion to have. arguing the details of how to apply cross-origin policy is missing the forest for the trees. the problem is the notion of cross-origin in the first place.

"Cross-Origin thinking" it's a bad way to model the Web.

there is no "cross-origin" on the Web. IT'S THE WEB DAMMIT!

now, i understand that the common Web browser has problems; lots of them. but "the Web" is not one of them. instead of modeling the Web as the browser, it should be the other way 'round.

writing 'cross-origin' apps is safe and easy w/o the browser

i've been writing 'cross-origin' applications for the Web for years w/o any problems. no i don't use Cookies. yes, i use HTTP Authentication. and i admit that don't use a browser as my user agent much because the browser has become such a rat's nest of conflicting implementation details and browser support for HTTP remains limited.

specifically, the authority portion of a URI is just a 'namespace.' treating it like a magical security boundary for all cases and all uses is just foolish. sure browsers have issues to deal w/ here; that's a bummer. but making everyone tow the same line - no matter the server or client software involved - is the real harm here.

web platform? srsly?

and, another thing, while "web platform" is a catchy phrase, that is another problem w/ the current thinking in the "browser community." common Web browsers are not "the web platform." at most the browser might be A web platform. and i don't yet buy into the notion that a browser even is a platform at all.

keepin' it real

so, let's not get too excited here; who ever 'wins' today's argument is still the winner of the wrong argument.

because the CORS notion itself is the cause of frustrations, not the solution to them.