W3C home > Mailing lists > Public > public-ldp@w3.org > January 2015

Do we need CORS for open data (was: Statistics on open data available for CORS consumption?)

From: Pierre-Antoine Champin <pierre-antoine.champin@liris.cnrs.fr>
Date: Tue, 13 Jan 2015 22:35:58 +0100
Message-ID: <CA+OuRR8mD+iJEyqmkLZmsSHJnBb-qpUHH_M1HBZDz9qGt6YcrQ@mail.gmail.com>
To: "public-ldp@w3.org" <public-ldp@w3.org>
Hi,

sorry to hijack Bill's thread at the very beginning, but I've been musing
with some ideas recently, and this question about CORS makes it timely that
I share them with you, I think.

We need CORS because AJAX queries inherit our cookies, and so may return
sensible data, with which we would not trust every piece of JS.

But we are talking here about open data, data that is available to every
server anyway, so protecting it in the browser is pointless.

So why don't we, webapp developers, have a way to tell the browser: "this
data I want to fetch is public, so you can get it **without** any of the
user's cookie, but please don't bother me with missing CORS headers" ? A
special kind of AJAX call that would be to XMLHttpRequest what Private Tabs
are to Regular Tabs ?

Actually, one could already emulate this kind of thing by sending the query
through a service such as http://corsproxy.com/, but this makes it
dependant on a third party service (although it is quite trivial to
implement on your own server if you need it).

What do you think? Am I missing a security hole that this kind of
functionality would create? Or could this become part of the standard Web
stack?

 best

On Tue, Jan 13, 2015 at 7:22 PM, Brad Hill <hillbrad@gmail.com> wrote:

>  Over in the WebAppSec WG, TBL has sparked a discussion on our Mixed
> Content draft ( https://w3c.github.io/webappsec/specs/mixedcontent/ )
> with concerns that strict prohibition of inclusion of http data into https
> web applications will lock out a good deal of open data on the web.
>
>  He gave as an example:
>
>  http://lod-cloud.net/
>
>  I made a spot sample of the first data set listed on this site, and
> while indeed it was only available over http, it also did not appear to set
> CORS headers, and so would not be available for consumption by a web
> platform mashup app, anyway.
>
>  I'd like to get a good sense for the size of the issue here: what data
> that is *actually* available to web mashups today would be blocked by
> stricter mixed content rules.   (If a site really has no maintainers, I
> understand the issue, but if it would need maintenance to add
> Access-Control-Allow-Origin: * headers, that same maintainer can almost as
> easily turn on https.)
>
>  Do any domain experts in LDP have ballpark numbers or even a fuzzy
> feeling for the magnitude of open data which:
>
>  1) Currently has CORS headers and is usable (and used) today in web
> platform mashups
>
>  and:
>
>  2) Is not available over https
>
>  thanks,
>
>  Brad Hill
> Co-chair, WebAppSec WG
>
Received on Tuesday, 13 January 2015 21:36:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 13 January 2015 21:36:47 UTC