Re: CORS from Jake Archibald on 2017-10-11 (public-webapps@w3.org from October to December 2017)

From: Jake Archibald <jakearchibald@google.com>
Date: Wed, 11 Oct 2017 07:41:28 +0000
To: "Jack (Zhan, Hua Ping)" <jackiszhp@gmail.com>
Cc: "Tab Atkins Jr." <jackalmage@gmail.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <CAPy=JopqK=Q5ZCSyoCbeZQgdCL154hfDq1PY+KmzF5eoVD_yMQ@mail.gmail.com>

On Wed, 11 Oct 2017, 01:02 Jack (Zhan, Hua Ping),<jackiszhp@gmail.com>
wrote:

> Be aware that I do not serve his a.html GOOG ticker data with the CORS
> header. And the ticker data I will serve him is "{}".  If I serve him
> with a piece of JS: var objname={}. Then his a.html can always get the
> data as needed with a script element.

Some resources can be fetched without CORS (the spec calls these no-cors
requests), and some APIs can consume them under certain conditions, such as
img, media, CSS and script.

In many ways, this was a mistake, and they're a vector in a lot of privacy
attacks. Eg https://goo.gl/UPV32Q (pdf) which resulted in restrictions
being applied to CSS.

Although, it's worth noting that when site A executes a script from site B,
it is giving site B full control over the page and storage on its origin.

Received on Wednesday, 11 October 2017 07:42:02 UTC