[p3t] Draft CORS guidance for an IVOA JSON protocol

[Russ Allbery]

Markus Demleitner via p3t <p3t at ivoa.net> writes:

> But I don't think that's something we can discuss: Try writing a
> standard with such an abstraction (Datalink, as I said, would be my
> obvious choice), and then let's see if it remains understandable.

Yes, I completely agree: I think we've exhausted the utility of a more
abstract discussion at this point and are going to start asserting design
principles at each other in a way that doesn't accomplish anything.  The
next step is to start writing things down, experimenting with both the
structure of the standards and with running code implementing them, and
see what the results look like.  That's what I'm planning to work on next.

> Datalink would also be a good choice because I think the current
> standard is not very accessible to start with, so there is some
> low-hanging fruit in improving its readability in the process of
> updating it.

I personally will probably start with SODA, not because it's all that good
for this purpose but because it's the thing I have to work on for other
reasons anyway and I can start drafting some documents as a side effect of
other work.  But DataLink would be next on my list and I similarly have a
lot of opportunities to test that with running code.  I would love to work
with other folks on that.

Thanks for the discussion!  This was helpful in working out the best way
to talk about CORS and other CSRF protection techniques.  It's clear that
this is going to be one of the most confusing parts to document, so it's
very useful to work through where the guidance needs to be tightened.

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>