- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 21 Dec 2009 17:35:50 -0800
- To: Kenton Varda <kenton@google.com>
- Cc: Ian Hickson <ian@hixie.ch>, Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
On Mon, Dec 21, 2009 at 5:17 PM, Kenton Varda <kenton@google.com> wrote: > The problem we're getting at is that CORS is being presented as a security > mechanism, when in fact it does not provide security. Yes, CORS is > absolutely easier to use than UM in some cases -- I don't think anyone is > going to dispute that. The problem is that the security it provides in > those cases simply doesn't exist unless you can ensure that no resource on > *any* of your allowed origins can be tricked into fetching your "protected" > resource for a third party. In practice this will be nearly impossible to > ensure except in the most simple cases. Why isn't this a big problem today for normal XMLHttpRequest? Normal XMLHttpRequest is just like a CORS deployment in which every server has a policy of allowing its own origin. Adam
Received on Tuesday, 22 December 2009 01:36:51 UTC