Re: Why the restriction on unauthenticated GET in CORS?

On Thu, Jul 19, 2012 at 7:50 AM, Cameron Jones <cmhjones@gmail.com> wrote:
> On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones <cmhjones@gmail.com> wrote:
>>> Isn't this mitigated by the Origin header?
>>
>> No.
>
> Could you expand on this response, please?
>
> My understanding is that requests generate from XHR will have Origin
> applied. This can be used to reject requests from 3rd party websites
> within browsers. Therefore, intranets have the potential to restrict
> access from internal user browsing habits.

They have the potential, but existing networks don't do that.  We need
to protect legacy systems that don't understand the Origin header.

>>> Also, what about the point that this is unethically pushing the costs
>>> of securing private resources onto public access providers?
>>
>> It is far more unethical to expose a user's private data.
>
> Yes, but if no user private data is being exposed then there is cost
> being paid for no benefit.

I think it's difficult to discuss ethics without agreeing on an
ethical theory.  Let's stick to technical, rather than ethical,
discussions.

Adam

Received on Friday, 20 July 2012 07:30:55 UTC