- From: Brad Hill <hillbrad@gmail.com>
- Date: Thu, 22 Jan 2015 17:59:44 +0000
- To: "public-ldp@w3.org" <public-ldp@w3.org>
Received on Thursday, 22 January 2015 18:00:11 UTC
Pierre-Antoine, You've identified a core issue here, but the problem is that there may be many more sources of "ambient authority" than simply a cookie. Resources might respond non-uniformly based on the caller's network address, or they might simply assume that access control was performed at the network layer, (e.g. this resource is only accessible to someone on this corporate network, VPN, or behind an authenticated proxy, so we don't need cookies to show you our internal document sharing site) or authentication might be done with browser plugins not visible to the CORS algorithm. The CORS algorithm defines an "anonymous" request, but given the wide deployment of Web technologies and legacy resources, we simply can't know that we wouldn't be opening dire security holes by making this kind of unilateral change. It has to be the responsibility of a server to indicate affirmatively that it really _is_ "public data". -Brad Hill
Received on Thursday, 22 January 2015 18:00:11 UTC