Re: file sharing services from Charles Pritchard on 2011-12-01 (public-webapps@w3.org from October to December 2011)

From: Charles Pritchard <chuck@jumis.com>
Date: Thu, 01 Dec 2011 13:51:07 -0800
To: Yehuda Katz <wycats@gmail.com>
CC: "Tab Atkins Jr." <jackalmage@gmail.com>, Nicolas Mollet <nico.mollet@gmail.com>, public-webapps@w3.org
Message-ID: <4ED7F6CB.7050205@jumis.com>

There are serious security implications for enabling CORS, even with 
session-less requests.
It's going to be a very long opt-in process for file sharing services.

-Charles

On 12/1/11 1:12 PM, Yehuda Katz wrote:
> I spoke to Jonas and several others at TPAC, and everyone agreed that 
> for web servers that are not behind a firewall, it's safe to 
> *always* Access-Control-Allow-Origin: *.
>
> If this is true, as it seems to be, it would be great if the spec 
> would explicitly call out the reason for requiring the header for 
> cookie-less requests, and say that in non-firewall cases, it's always 
> safe to include the header.
>
> Yehuda Katz
> (ph) 718.877.1325
>
>
> On Thu, Dec 1, 2011 at 7:53 AM, Tab Atkins Jr. <jackalmage@gmail.com 
> <mailto:jackalmage@gmail.com>> wrote:
>
>     On Mon, Nov 28, 2011 at 4:05 AM, Nicolas Mollet
>     <nico.mollet@gmail.com <mailto:nico.mollet@gmail.com>> wrote:
>     > Hello,
>     >
>     > I am new here, not sure if it's the good place to talk about my
>     problem.
>     >
>     > What I understand, CORS is a new specification, and it was
>     introduced in the
>     > latest Firefox 8.
>     > Many users started to edit their servers properties using
>     > "Access-Control-Allow-Origin" property.
>     >
>     > What about servers we don't have access to, like the file
>     sharing services
>     > (Dropbox, Photobucket).
>     >
>     > For example, in my project, I hosted many files on Dropbox
>     Public Folder :
>     > now it is becoming useless because CORS is not enabled on Dropbox.
>     > What should be done ? Can Dropbox change his policy according to
>     CORS ?
>     >
>     > Does your group can contact file sharing services so they can
>     adapt their
>     > services to CORS ?
>     >
>     > Thank you very much,
>
>     Yes, third-party hosting services need to add CORS headers as well if
>     they want their stuff to be accessible from XHR, etc.  It's the same
>     process for them as it is for a normal author.
>
>     It's possible that someone from this mailing list could contact those
>     services.  It's more likely to happen, though, if you do it yourself.
>     ^_^
>
>     ~TJ
>
>

Received on Thursday, 1 December 2011 21:51:41 UTC