- From: Pierre-Antoine Champin <pierre-antoine.champin@liris.cnrs.fr>
- Date: Tue, 13 Jan 2015 22:35:58 +0100
- To: "public-ldp@w3.org" <public-ldp@w3.org>
- Message-ID: <CA+OuRR8mD+iJEyqmkLZmsSHJnBb-qpUHH_M1HBZDz9qGt6YcrQ@mail.gmail.com>
Hi, sorry to hijack Bill's thread at the very beginning, but I've been musing with some ideas recently, and this question about CORS makes it timely that I share them with you, I think. We need CORS because AJAX queries inherit our cookies, and so may return sensible data, with which we would not trust every piece of JS. But we are talking here about open data, data that is available to every server anyway, so protecting it in the browser is pointless. So why don't we, webapp developers, have a way to tell the browser: "this data I want to fetch is public, so you can get it **without** any of the user's cookie, but please don't bother me with missing CORS headers" ? A special kind of AJAX call that would be to XMLHttpRequest what Private Tabs are to Regular Tabs ? Actually, one could already emulate this kind of thing by sending the query through a service such as http://corsproxy.com/, but this makes it dependant on a third party service (although it is quite trivial to implement on your own server if you need it). What do you think? Am I missing a security hole that this kind of functionality would create? Or could this become part of the standard Web stack? best On Tue, Jan 13, 2015 at 7:22 PM, Brad Hill <hillbrad@gmail.com> wrote: > Over in the WebAppSec WG, TBL has sparked a discussion on our Mixed > Content draft ( https://w3c.github.io/webappsec/specs/mixedcontent/ ) > with concerns that strict prohibition of inclusion of http data into https > web applications will lock out a good deal of open data on the web. > > He gave as an example: > > http://lod-cloud.net/ > > I made a spot sample of the first data set listed on this site, and > while indeed it was only available over http, it also did not appear to set > CORS headers, and so would not be available for consumption by a web > platform mashup app, anyway. > > I'd like to get a good sense for the size of the issue here: what data > that is *actually* available to web mashups today would be blocked by > stricter mixed content rules. (If a site really has no maintainers, I > understand the issue, but if it would need maintenance to add > Access-Control-Allow-Origin: * headers, that same maintainer can almost as > easily turn on https.) > > Do any domain experts in LDP have ballpark numbers or even a fuzzy > feeling for the magnitude of open data which: > > 1) Currently has CORS headers and is usable (and used) today in web > platform mashups > > and: > > 2) Is not available over https > > thanks, > > Brad Hill > Co-chair, WebAppSec WG >
Received on Tuesday, 13 January 2015 21:36:47 UTC