W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

CORS Questions

From: Nathan <nathan@webr3.org>
Date: Mon, 10 May 2010 23:42:21 +0100
Message-ID: <4BE88BCD.6070300@webr3.org>
To: public-webapps@w3.org
CC: Anne van Kesteren <annevk@opera.com> 
Hi All,

A couple of questions about CORS.


1: Why is CORS an opt-out setup instead of an opt-in?
eg why are all my resource hidden to js by default rather than exposed, 
then allowing me to limit access to specific resources at my discretion.


2: Why does CORS prevent this:

function doNastyStuff() {
	new client = new XMLHttpRequest();
	client.open("GET", "intranet.corp.example/sensitive.json");
}

but allow this:

function doNastyStuff() {
	var script = document.createElement("script");
	script.src = 'intranet.corp.example/sensitive.json';
	document.body.appendChild(script);
}


Best,

Nathan
Received on Monday, 10 May 2010 22:43:35 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT