W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: Why the restriction on unauthenticated GET in CORS?

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 20 Jul 2012 21:53:59 +0200
Cc: Adam Barth <w3c@adambarth.com>, Cameron Jones <cmhjones@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
Message-Id: <15D699F4-DF96-4598-862D-A941776D472E@bblfish.net>
To: "Tab Atkins Jr." <jackalmage@gmail.com>

On 20 Jul 2012, at 21:02, Tab Atkins Jr. wrote:

> On Fri, Jul 20, 2012 at 11:58 AM, Henry Story <henry.story@bblfish.net> wrote:
>> Of course, but you seem to want to support hidden legacy systems, that is systems none of us know about or can see. It is still a worth while inquiry to find out how many systems there are for which this is a problem, if any. That is:
>> 
>>  a) systems that use non standard internal ip addresses
>>  b) systems that use ip-address provenance for access control
>>  c) ? potentially other issues that we have not covered
>> 
>> Systems with a) are going to be very rare it seems to me, and the question would be whether they can't really move over to standard internal ip addresses. Perhaps IPV6 makes that easy.
>> 
>> It is not clear that anyone should bother with designs such as b) - that's bad practice anyway I would guess.
> 
> We know that systems which base their security at least in part on
> network topology (are you on a computer inside the DMZ?) are common
> (because it's easy).

How many of those would use ip addresses that are not standard private ip addresses?
( Because if they do, then they would not be affected ).
Of those that do not, would IPV6 offer them a scheme where they could easily use standard private ip addresses? 

> 
> ~TJ

Social Web Architect
http://bblfish.net/
Received on Friday, 20 July 2012 19:54:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 20 July 2012 19:54:33 GMT