W3C home > Mailing lists > Public > public-ldp@w3.org > January 2015

Re: Do we need CORS for open data (was: Statistics on open data available for CORS consumption?)

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 22 Jan 2015 17:59:44 +0000
Message-ID: <CAEeYn8jr6C9QSgeVAw-zt_3uWpW=Efwzvz0UjQ-=dvhFTy5S6w@mail.gmail.com>
To: "public-ldp@w3.org" <public-ldp@w3.org>

You've identified a core issue here, but the problem is that there may be
many more sources of "ambient authority" than simply a cookie. Resources
might respond non-uniformly based on the caller's network address, or they
might simply assume that access control was performed at the network layer,
(e.g. this resource is only accessible to someone on this corporate
network, VPN, or behind an authenticated proxy, so we don't need cookies to
show you our internal document sharing site) or authentication might be
done with browser plugins not visible to the CORS algorithm. The CORS
algorithm defines an "anonymous" request, but given the wide deployment of
Web technologies and legacy resources, we simply can't know that we
wouldn't be opening dire security holes by making this kind of unilateral
change.  It has to be the responsibility of a server to indicate
affirmatively that it really _is_ "public data".

-Brad Hill
Received on Thursday, 22 January 2015 18:00:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:16:38 UTC