W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2012

Re: Why the restriction on unauthenticated GET in CORS?

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Fri, 20 Jul 2012 12:02:54 -0700
Message-ID: <CAAWBYDD9V_8VtyDdGpAhWW89iJKQAnFDeuTdRJzp1BV8UyL2dA@mail.gmail.com>
To: Henry Story <henry.story@bblfish.net>
Cc: Adam Barth <w3c@adambarth.com>, Cameron Jones <cmhjones@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
On Fri, Jul 20, 2012 at 11:58 AM, Henry Story <henry.story@bblfish.net> wrote:
> Of course, but you seem to want to support hidden legacy systems, that is systems none of us know about or can see. It is still a worth while inquiry to find out how many systems there are for which this is a problem, if any. That is:
>
>   a) systems that use non standard internal ip addresses
>   b) systems that use ip-address provenance for access control
>   c) ? potentially other issues that we have not covered
>
> Systems with a) are going to be very rare it seems to me, and the question would be whether they can't really move over to standard internal ip addresses. Perhaps IPV6 makes that easy.
>
> It is not clear that anyone should bother with designs such as b) - that's bad practice anyway I would guess.

We know that systems which base their security at least in part on
network topology (are you on a computer inside the DMZ?) are common
(because it's easy).

~TJ
Received on Friday, 20 July 2012 19:03:43 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:54 GMT