- From: Cameron Jones <cmhjones@gmail.com>
- Date: Thu, 19 Jul 2012 15:50:00 +0100
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Henry Story <henry.story@bblfish.net>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones <cmhjones@gmail.com> wrote: >> Isn't this mitigated by the Origin header? > > No. > > Could you expand on this response, please? My understanding is that requests generate from XHR will have Origin applied. This can be used to reject requests from 3rd party websites within browsers. Therefore, intranets have the potential to restrict access from internal user browsing habits. >> Also, what about the point that this is unethically pushing the costs >> of securing private resources onto public access providers? > > It is far more unethical to expose a user's private data. > > Yes, but if no user private data is being exposed then there is cost being paid for no benefit. > -- > http://annevankesteren.nl/ Thanks, Cameron Jones
Received on Thursday, 19 July 2012 14:50:31 UTC