- From: Charles Pritchard <chuck@jumis.com>
- Date: Thu, 01 Dec 2011 15:58:19 -0800
- To: Jonas Sicking <jonas@sicking.cc>
- CC: Yehuda Katz <wycats@gmail.com>, "Tab Atkins Jr." <jackalmage@gmail.com>, Nicolas Mollet <nico.mollet@gmail.com>, public-webapps@w3.org
On 12/1/11 3:48 PM, Jonas Sicking wrote: > On Thu, Dec 1, 2011 at 1:51 PM, Charles Pritchard<chuck@jumis.com> wrote: >> There are serious security implications for enabling CORS, even with >> session-less requests. >> It's going to be a very long opt-in process for file sharing services. > This is a very strong statement backed up by absolutely no information > or data at all. Not very convincing. > > Please clarify what you are referring to. Direct and anonymous read access is a very new thing. At it's most basic: UAs have always required a server, somewhere, to proxy anonymous requests. With direct access, items like IP-based security and auditing are not as reliable. It'd be very easy to do screen scraping on sites that don't particular want scraping to be done. While it's easy now, it has to be done from the server-side. When hosts open up their servers, they're allowing it to be done client-side. For my interests, I very much want <img crossorigin=anonymous> to work everywhere. Yehuda is simply asking for a change to the text, describing the implications of enabling CORS... That's fine. I'll comment on it when I see the text. -Charles
Received on Thursday, 1 December 2011 23:58:51 UTC