W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: Why the restriction on unauthenticated GET in CORS?

From: Cameron Jones <cmhjones@gmail.com>
Date: Thu, 19 Jul 2012 15:50:00 +0100
Message-ID: <CALGrgev_chZNNE7Z+5VKS_AzAsfPBVK=jbugK7txyZroYo2LLw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Henry Story <henry.story@bblfish.net>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones <cmhjones@gmail.com> wrote:
>> Isn't this mitigated by the Origin header?
>
> No.
>
>

Could you expand on this response, please?

My understanding is that requests generate from XHR will have Origin
applied. This can be used to reject requests from 3rd party websites
within browsers. Therefore, intranets have the potential to restrict
access from internal user browsing habits.


>> Also, what about the point that this is unethically pushing the costs
>> of securing private resources onto public access providers?
>
> It is far more unethical to expose a user's private data.
>
>

Yes, but if no user private data is being exposed then there is cost
being paid for no benefit.

> --
> http://annevankesteren.nl/

Thanks,
Cameron Jones
Received on Thursday, 19 July 2012 14:50:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 14:50:30 GMT