W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

HTTP access control confusion

From: Douglas Beck <dbeck@mail.ucf.edu>
Date: Thu, 29 Jul 2010 11:10:03 -0400
Message-ID: <4C5199CB.1040501@mail.ucf.edu>
To: public-webapps@w3.org
CC: Jared <jslang@mail.ucf.edu>
I have recently read through:
https://developer.mozilla.org/En/HTTP_access_control
https://wiki.mozilla.org/Security/Origin

I've discussed what I've read and learned with my coworkers and there's 
been some confusion.  I understand and appreciate the need for a 
security policy that allows for cross-site https requests.  I do not 
understand how Access-Control-Allow-Origin addresses usability and 
security concerns.

The basis of our confusion:
I create domain-a.com and I want to make an ajax request to 
domain-b.com.  A preflight request is made to domain-b, domain-b 
responds with if it is safe to send the request.

Does it not make more sense for me (the author of domain-a) to define 
the security policy of my website?  I know each and every request that 
should be made on my site and can define a list of all acceptable 
content sources.  If the preflight request is made to domain-a (not 
domain-b) then the content author is the source of authority.

A more functional example (and the source of my curiosity), I work for 
the University of Central Florida.  I am currently working on a 
subdomain that wants to pull from the main .edu TLD.  The university has 
yet to define an Access-Control header policy, so my subdomain is unable 
to read what's available on the main .edu website.

Additionally, if I am working with authorized content, it would be 
useful for me to define/limit where cross-site requests can be made.  It 
seems backwards that an external source can define a security policy 
that effects the usability of my content.

I sincerely appreciate any time you can give explaining the policy.
Thank you for all the great work that's been done.

Sincerely,
Douglas Beck

-- 
Douglas Beck
Web Communications | 407.823.1699
Received on Friday, 30 July 2010 19:42:05 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT