- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 7 Feb 2008 21:10:07 +0000 (UTC)
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: Jonas Sicking <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
On Thu, 7 Feb 2008, Close, Tyler J. wrote: > > where Jonas Sicking wrote: > > Ah, well, I'd say it's the Referer-Root site acting as an agent for > > the user. > > But we don't know for sure that the Referer-Root site had anything to do > with the request. The user could have sent the request on their own, and > tried to frame the Referer-Root site for the deed. It's not just about > whether or not the request is processed, but who is accountable for it > being processed. In some of your arguments, you seem to have not thought > beyond the point where the request is processed. The user could also fake the Referer header, and the Cookie header, and the HTTP authentication, and, in fact, anything at all about the request (except the source IP, though even that can be faked if you have a compromised machine at your disposal). If you are faced with a hostile client, then Access-Control is irrelevant. A hostile client can already do cross-site third party requests. Access-Control is designed only to protect the _user_ who, when visiting potentially hostile sites using a trusted conforming client, may be exposed to code that will try third-party access, in an environment where we want to allow more than is allowed today, including reading of cross-origin content, and writing of cross-origin non-GET requests with Content-Types that aren't possible from <form> elements. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 7 February 2008 21:10:28 UTC