Anne van Kesteren

Still looking for alternatives to CORS and WebSocket

Due to the same-origin policy protecting servers behind a firewall, cross-origin HTTP came to browsers as CORS and TCP as WebSocket. Neither CORS nor WebSocket address the problem of accessing existing services over protocols such as IRC and SMTP. A proxy of sorts is needed.

We came up with an idea whereby the browser would ship with a HTTP/TCP/UDP API by default. Instead of opening direct connections a user-configurable public internet proxy would be used with a default provided by the browser. The end goal would be having routers announce their own public internet proxy to reduce latency and increase privacy. Unfortunately routers have no way of knowing whether they are connected to the public internet so this plan fall short. (There were other concerns too, e.g. shipping and supporting an open proxy indefinitely has its share of issues.)

There might still be value in standardizing some kind of proxy for HTTP/TCP/UDP traffic that is selected by web developers rather than the browser. Similar to TURN servers in WebRTC. Thoughts welcome.