Re: [spec-reviews] "With Credentials" flag possibly inconsistent with web architecture (#76) from Anne van Kesteren on 2015-09-16 (public-webapps-github@w3.org from September 2015)

From: Anne van Kesteren <notifications@github.com>
Date: Wed, 16 Sep 2015 02:48:50 -0700
To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
Message-ID: <w3ctag/spec-reviews/issues/76/140690939@github.com>

> ... as otherwise the tendency is to leave a proxy open a a script's origin server to relay anything any everything without any caution or CORS, which obviously defeats the whole Same Origin Model.

That does not defeat the same-origin policy actually. A proxy server is perfectly acceptable. I recommend reading https://annevankesteren.nl/2015/02/same-origin-policy if you want to know what the same-origin policy protects against. The only problem with a proxy server is that it creates an additional request. That is why we have CORS.

---
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/spec-reviews/issues/76#issuecomment-140690939

Received on Wednesday, 16 September 2015 09:49:18 UTC