W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: Why the restriction on unauthenticated GET in CORS?

From: Cameron Jones <cmhjones@gmail.com>
Date: Thu, 19 Jul 2012 15:10:16 +0100
Message-ID: <CALGrgesAsumcAAa0X_ux5R9UbUhL0bzfyNpgUmKhGHBWN7byGg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Henry Story <henry.story@bblfish.net>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
On Thu, Jul 19, 2012 at 2:54 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Thu, Jul 19, 2012 at 2:43 PM, Henry Story <henry.story@bblfish.net> wrote:
>> If a mechanism can be found to apply restrictions for private IP ranges then that
>> should be used in preference to forcing the rest of the web to implement CORS
>> restrictions on public data. And indeed the firewall servers use private ip ranges,
>> which do in fact make a good distinguisher for public and non public space.
>
> It's not just private servers (there's no guarantee those only use
> private IP ranges either). It's also IP-based authentication to
> private resources as e.g. W3C has used for some time.
>
>

Isn't this mitigated by the Origin header?

Also, what about the point that this is unethically pushing the costs
of securing private resources onto public access providers?

Thanks,
Cameron Jones
Received on Thursday, 19 July 2012 14:10:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 14:10:47 GMT