- From: Jack (Zhan, Hua Ping) <jackiszhp@gmail.com>
- Date: Thu, 12 Oct 2017 06:42:07 +0800
- To: "public-webapps@w3.org" <public-webapps@w3.org>
> Effectively you want to get rid of the same-origin policy. This isn't going > to happen because everybody else relies on it working. CORS exists because > the same-origin policy exists. And the same-origin policy exists to avoid > exposing side effects and data to third parties for data requests which > where introduced to the web at a later stage when there was already a large > volume of existing sites which couldn't all be changed. > > In essence it seems you're not happy with how history went, and you'd like > the entire world to change all at once so that you can avoid adding a > perfectly functional http header... No. I want the old style same origin policy almost unchanged, just relax a bit Did you read http://lists.w3.org/Archives/Public/public-webapps/2017OctDec/0024.html? Seems to me you do not get my point, I do not know what is missing for you not to understand me. That browser allows http://evil.com/a.html to load https://bankA.com/ticker/MSFT with the same origin policy does not compromise the security of https://bankA.com/. If you think the security of https://bankA.com/LastTransactionOfISISaccount is compromised, then defeat me please. Why do I want the browser to serve you a.html? Because many sites they just did not serve the header you are eager for! There is no point for me, the manager of https://bankA.com/, to delegate authorization check to a remote browser. Jack (Zhan, Hua Ping詹华平)
Received on Wednesday, 11 October 2017 22:42:30 UTC