Re: Do we need CORS for open data (was: Statistics on open data available for CORS consumption?)

Pierre-Antoine,

You've identified a core issue here, but the problem is that there may be
many more sources of "ambient authority" than simply a cookie. Resources
might respond non-uniformly based on the caller's network address, or they
might simply assume that access control was performed at the network layer,
(e.g. this resource is only accessible to someone on this corporate
network, VPN, or behind an authenticated proxy, so we don't need cookies to
show you our internal document sharing site) or authentication might be
done with browser plugins not visible to the CORS algorithm. The CORS
algorithm defines an "anonymous" request, but given the wide deployment of
Web technologies and legacy resources, we simply can't know that we
wouldn't be opening dire security holes by making this kind of unilateral
change.  It has to be the responsibility of a server to indicate
affirmatively that it really _is_ "public data".

-Brad Hill

Received on Thursday, 22 January 2015 18:00:11 UTC