W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: Why the restriction on unauthenticated GET in CORS?

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 18 Jul 2012 05:57:13 +0200
Cc: public-webapps public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
Message-Id: <9AE1CD30-FAC7-4DC0-9073-505B1C019125@bblfish.net>
To: Ian Hickson <ian@hixie.ch>

On 18 Jul 2012, at 05:47, Ian Hickson wrote:

> On Wed, 18 Jul 2012, Henry Story wrote:
>> 
>> So my argument is that this restriction could be lifted since 
>> 
>> 1. GET is indempotent - and should not affect the resource fetched
>> 
>> 2. If there is no authentication, then the JS Agent could make the 
>> request via a CORS praxy of its choosing, and so get the content of the 
>> resource anyhow.
> 
> No, such a proxy can't get to intranet pages.
> 
> "Authentication" on the Internet can include many things, e.g. IP 
> addresses or mere connectivity, that are not actually included in the body 
> of an HTTP GET request. It's more than just cookies and HTTP auth headers.

Ah yes, quite right.  Tricky space...

Perhaps my question can be useful in your CORS design-decisions-faq .

Thanks,

	Henry


> 
> -- 
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Social Web Architect
http://bblfish.net/
Received on Wednesday, 18 July 2012 03:57:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 03:57:50 GMT