- From: Brandon Sterne <brandon@hackmill.com>
- Date: Tue, 5 Feb 2013 14:46:26 -0800
- To: "Hill, Brad" <bhill@paypal-inc.com>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Received on Tuesday, 5 February 2013 22:46:53 UTC
Thanks, Brad. That answers my question. Cheers, Brandon On Tue, Feb 5, 2013 at 2:37 PM, Hill, Brad <bhill@paypal-inc.com> wrote: > Brandon,**** > > ** ** > > The requirement is that CORS does not introduce any new Cross-Site Request > Forgery attack capabilities not present in legacy user agents. Therefore, > all requests that cannot be generated by pre-CORS user agents through > methods like GET, POST and HEAD that are available through legacy HTML+JS > must be anonymous or pre-authorized.**** > > ** ** > > The user agent should not send requests with credentials on non-simple > HTTP methods unless and until the server indicates it is prepared to accept > such by responding to the pre-flight request.**** > > ** ** > > Does this answer your question?**** > > ** ** > > -Brad**** > > ** ** > > *From:* brandon.sterne@gmail.com [mailto:brandon.sterne@gmail.com] *On > Behalf Of *Brandon Sterne > *Sent:* Tuesday, February 05, 2013 1:38 PM > *To:* public-web-security@w3.org > *Subject:* CORS question**** > > ** ** > > Hey guys, > > Co-workers of mine were trying to understand the treat model of CORS, and > I was having trouble articulating some of the particular risks that the > spec attempts to avoid. Why does the OPTIONS pre-flight request never > carry credentials?**** > > Thanks, > Brandon**** >
Received on Tuesday, 5 February 2013 22:46:53 UTC