- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 12 Oct 2009 08:36:02 +0200
- To: "Mark S. Miller" <erights@google.com>
- Cc: "Henry S. Thompson" <ht@inf.ed.ac.uk>, "Jonas Sicking" <jonas@sicking.cc>, "Arthur Barstow" <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
On Sat, 10 Oct 2009 01:36:50 +0200, Mark S. Miller <erights@google.com> wrote: > The last of the links above should make the application to CORS > concrete. See also the dismissive replies which followed in that > thread. If you find these dismissals plausible, please imagine back to > the world in which CSRF was first diagnosed (second bullet above) as > ask if CSRFs would have also seemed merely theoretical back then? In > both cases, the answer "well don't do that" seems to make sense on > first analysis for the same reasons. The concern seems to be mostly about CORS being an access control system. I'm not entirely sure that is justified (though the headers are indeed confusingly named, mea culpa). All CORS does is allowing cross-origin resources to communicate with each other. What actions follow from requests should in general not follow from (just) the origin were the request originated. That would allow all kinds of trouble. Then again, I think this was explained before as well, so I kind of have the feeling we are going around in circles. -- Anne van Kesteren http://annevankesteren.nl/
Received on Monday, 12 October 2009 06:36:54 UTC