Re: [whatwg/fetch] Proposal: Allow servers to take full responsibility for cross-origin access protection (#878)

A number of your use cases (2, 4, and 7) refer to authentication or access control.  I think understanding whether those use cases are being addressed securely (and, e.g., not in a way that's subject to the confused deputy problem) requires understanding what the use cases for that authentication or access control are.  That is, why is authentication or access control being used, and is this solution sufficient for that reason?

-----

Also, one other side comment: while `Access-Control-Allow-Origin: *` may or may not be the best name for what it does, its design serves a very important use case, as Anne has pointed out in a number of other discussions:  it tells the browser that the data can be shared in any way that is known to be safe if the server is on the public internet (rather than behind a firewall).  This means that this header is designed so that it can be safely added to the HTTP responses on all servers that aren't behind a firewall, and thus can make large amounts of data usable cross-origin in browsers, quickly, without introducing a bunch of security risks that require careful thought.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/878#issuecomment-471137874

Received on Saturday, 9 March 2019 02:29:29 UTC