W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: Why the restriction on unauthenticated GET in CORS?

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 18 Jul 2012 03:47:21 +0000 (UTC)
To: Henry Story <henry.story@bblfish.net>
cc: public-webapps public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
Message-ID: <Pine.LNX.4.64.1207180344560.27616@ps20323.dreamhostps.com>
On Wed, 18 Jul 2012, Henry Story wrote:
> 
> So my argument is that this restriction could be lifted since 
> 
>  1. GET is indempotent - and should not affect the resource fetched
>
>  2. If there is no authentication, then the JS Agent could make the 
> request via a CORS praxy of its choosing, and so get the content of the 
> resource anyhow.

No, such a proxy can't get to intranet pages.

"Authentication" on the Internet can include many things, e.g. IP 
addresses or mere connectivity, that are not actually included in the body 
of an HTTP GET request. It's more than just cookies and HTTP auth headers.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 18 July 2012 03:47:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 03:47:45 GMT