W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: Why the restriction on unauthenticated GET in CORS?

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 20 Jul 2012 20:22:27 +0000 (UTC)
To: Henry Story <henry.story@bblfish.net>
cc: "Tab Atkins Jr." <jackalmage@gmail.com>, Adam Barth <w3c@adambarth.com>, Cameron Jones <cmhjones@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
Message-ID: <Pine.LNX.4.64.1207202019200.27616@ps20323.dreamhostps.com>
On Fri, 20 Jul 2012, Henry Story wrote:
> 
> How many of those would use ip addresses that are not standard private 
> ip addresses? (Because if they do, then they would not be affected). Of 
> those that do not, would IPV6 offer them a scheme where they could 
> easily use standard private ip addresses?

I think you're missing the point, which is that Web browser implementors 
are not willing to risk breaking any such deployments, however convoluted 
that makes the resulting technology. If you want a technology to be 
implemented, you have to consider implementators' constraints as hard 
constraints on your designs. In this case, the constraint is that they 
will not implement anything that increases the potential attack surface 
area, whether or not the potentially vulnerable deployed services are 
designed sanely or not. Once you realise that this is a hard constraint, 
questions such as yours above are obviously moot.

HTH,
-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 20 July 2012 20:22:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 20 July 2012 20:22:53 GMT