Re: file sharing services from Yehuda Katz on 2011-12-01 (public-webapps@w3.org from October to December 2011)

From: Yehuda Katz <wycats@gmail.com>
Date: Thu, 1 Dec 2011 13:54:59 -0800
To: Charles Pritchard <chuck@jumis.com>
Cc: "Tab Atkins Jr." <jackalmage@gmail.com>, Nicolas Mollet <nico.mollet@gmail.com>, public-webapps@w3.org
Message-ID: <CAMFeDTX5sm0bZLYGFs8aCQb2qr38PpFmqJ5jE1OpqsQNfVN+RA@mail.gmail.com>

Yehuda Katz
(ph) 718.877.1325


On Thu, Dec 1, 2011 at 1:51 PM, Charles Pritchard <chuck@jumis.com> wrote:

> **
> There are serious security implications for enabling CORS, even with
> session-less requests.
> It's going to be a very long opt-in process for file sharing services.
>

For sessionless requests, what are those concerns?


>
>
> -Charles
>
>
> On 12/1/11 1:12 PM, Yehuda Katz wrote:
>
> I spoke to Jonas and several others at TPAC, and everyone agreed that for
> web servers that are not behind a firewall, it's safe to
> *always* Access-Control-Allow-Origin: *.
>
>  If this is true, as it seems to be, it would be great if the spec would
> explicitly call out the reason for requiring the header for cookie-less
> requests, and say that in non-firewall cases, it's always safe to include
> the header.
>
> Yehuda Katz
> (ph) 718.877.1325
>
>
> On Thu, Dec 1, 2011 at 7:53 AM, Tab Atkins Jr. <jackalmage@gmail.com>wrote:
>
>>  On Mon, Nov 28, 2011 at 4:05 AM, Nicolas Mollet <nico.mollet@gmail.com>
>> wrote:
>> > Hello,
>> >
>> > I am new here, not sure if it's the good place to talk about my problem.
>> >
>> > What I understand, CORS is a new specification, and it was introduced
>> in the
>> > latest Firefox 8.
>> > Many users started to edit their servers properties using
>> > "Access-Control-Allow-Origin" property.
>> >
>> > What about servers we don't have access to, like the file sharing
>> services
>> > (Dropbox, Photobucket).
>> >
>> > For example, in my project, I hosted many files on Dropbox Public
>> Folder :
>> > now it is becoming useless because CORS is not enabled on Dropbox.
>> > What should be done ? Can Dropbox change his policy according to CORS ?
>> >
>> > Does your group can contact file sharing services so they can adapt
>> their
>> > services to CORS ?
>> >
>> > Thank you very much,
>>
>>  Yes, third-party hosting services need to add CORS headers as well if
>> they want their stuff to be accessible from XHR, etc.  It's the same
>> process for them as it is for a normal author.
>>
>> It's possible that someone from this mailing list could contact those
>> services.  It's more likely to happen, though, if you do it yourself.
>> ^_^
>>
>> ~TJ
>>
>>
>
>

Received on Thursday, 1 December 2011 21:55:49 UTC