Re: file sharing services

On 12/1/11 3:48 PM, Jonas Sicking wrote:
> On Thu, Dec 1, 2011 at 1:51 PM, Charles Pritchard<chuck@jumis.com>  wrote:
>> There are serious security implications for enabling CORS, even with
>> session-less requests.
>> It's going to be a very long opt-in process for file sharing services.
> This is a very strong statement backed up by absolutely no information
> or data at all. Not very convincing.
>
> Please clarify what you are referring to.
Direct and anonymous read access is a very new thing.

At it's most basic: UAs have always required a server, somewhere, to 
proxy anonymous requests. With direct access, items like IP-based 
security and auditing are not as reliable. It'd be very easy to do 
screen scraping on sites that don't particular want scraping to be done.

While it's easy now, it has to be done from the server-side. When hosts 
open up their servers, they're allowing it to be done client-side.

For my interests, I very much want <img crossorigin=anonymous> to work 
everywhere.

Yehuda is simply asking for a change to the text, describing the 
implications of enabling CORS... That's fine.
I'll comment on it when I see the text.

-Charles

Received on Thursday, 1 December 2011 23:58:51 UTC