W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2012

Re: Why the restriction on unauthenticated GET in CORS?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 19 Jul 2012 15:54:14 +0200
Message-ID: <CADnb78gAFXEbtBMbSOaGxBdhsgZHaMabYRfu+eCE7H9u+rVe9g@mail.gmail.com>
To: Henry Story <henry.story@bblfish.net>
Cc: Cameron Jones <cmhjones@gmail.com>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>, public-webappsec@w3.org 
On Thu, Jul 19, 2012 at 2:43 PM, Henry Story <henry.story@bblfish.net> wrote:
> If a mechanism can be found to apply restrictions for private IP ranges then that
> should be used in preference to forcing the rest of the web to implement CORS
> restrictions on public data. And indeed the firewall servers use private ip ranges,
> which do in fact make a good distinguisher for public and non public space.

It's not just private servers (there's no guarantee those only use
private IP ranges either). It's also IP-based authentication to
private resources as e.g. W3C has used for some time.


-- 
http://annevankesteren.nl/
Received on Thursday, 19 July 2012 13:54:47 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:54 GMT