W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: CORS Questions

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 10 May 2010 15:51:25 -0700
Message-ID: <AANLkTikHbbDSwpxMZrc6iJgzhE3p0Ow5cnIZ-uwbanW6@mail.gmail.com>
To: nathan@webr3.org
Cc: public-webapps@w3.org, Anne van Kesteren <annevk@opera.com>
On Mon, May 10, 2010 at 3:42 PM, Nathan <nathan@webr3.org> wrote:
> Hi All,
>
> A couple of questions about CORS.
>
>
> 1: Why is CORS an opt-out setup instead of an opt-in?
> eg why are all my resource hidden to js by default rather than exposed, then
> allowing me to limit access to specific resources at my discretion.

Because in order to allow reading by default would require first
telling every web site admin in the world about this new policy in
order to give them a chance to protect sensitive resources. And there
are a lot of web site admins.

> 2: Why does CORS prevent this:
>
> function doNastyStuff() {
>        new client = new XMLHttpRequest();
>        client.open("GET", "intranet.corp.example/sensitive.json");
> }
>
> but allow this:
>
> function doNastyStuff() {
>        var script = document.createElement("script");
>        script.src = 'intranet.corp.example/sensitive.json';
>        document.body.appendChild(script);
> }

The latter example doesn't let you read any of the data in
sensitive.json. All it does is download the data from the network,
interpret it, and then discard it. How would the doNastyStuff
function, or any other script on the same page, get at any of the data
in "sensitive.json"?

/ Jonas
Received on Monday, 10 May 2010 22:52:18 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT