- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 02 Jun 2011 20:52:39 -0400
- To: public-webapps@w3.org
On 6/2/11 6:41 PM, Margarita Podskrobko wrote: > I have read couple of discussions in this mail list concerning security > issues of CORS. AFAIU, the main point of CORS is to delegate security > enforcement point from client browser(requestor of resource) to server > (possessor of resource). It's the other way around. It's to delegate the security enforcement to the _browser_. The server responds with the resource and Access-Control-Allow-Origin and the browser uses that information to decide whether to give the data to the origin that asked for it. The Origin header the browser sends is effectively advisory; clearly anyone can always send an HTTP request to a server with a given Origin header (using telnet to port 80, say!). So the server should not be making any assumptions about what the Origin header really means security-wise. > So my understanding is that only servers which allow requests from all origins > or servers which completely forbid cross origin requests are in safe > situation. The client can always send an Origin header claiming the request is same-origin..... -Boris
Received on Friday, 3 June 2011 00:53:08 UTC