RE: CORS question

Brandon,

The requirement is that CORS does not introduce any new Cross-Site Request Forgery attack capabilities not present in legacy user agents.  Therefore, all requests that cannot be generated by pre-CORS user agents through methods like GET, POST and HEAD that are available through legacy HTML+JS must be anonymous or pre-authorized.

The user agent should not send requests with credentials on non-simple HTTP methods unless and until the server indicates it is prepared to accept such by responding to the pre-flight request.

Does this answer your question?

-Brad

From: brandon.sterne@gmail.com [mailto:brandon.sterne@gmail.com] On Behalf Of Brandon Sterne
Sent: Tuesday, February 05, 2013 1:38 PM
To: public-web-security@w3.org
Subject: CORS question

Hey guys,

Co-workers of mine were trying to understand the treat model of CORS, and I was having trouble articulating some of the particular risks that the spec attempts to avoid.  Why does the OPTIONS pre-flight request never carry credentials?
Thanks,
Brandon

Received on Tuesday, 5 February 2013 22:38:23 UTC