- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 20 Jul 2012 00:29:48 -0700
- To: Cameron Jones <cmhjones@gmail.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, Henry Story <henry.story@bblfish.net>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
On Thu, Jul 19, 2012 at 7:50 AM, Cameron Jones <cmhjones@gmail.com> wrote: > On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren <annevk@annevk.nl> wrote: >> On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones <cmhjones@gmail.com> wrote: >>> Isn't this mitigated by the Origin header? >> >> No. > > Could you expand on this response, please? > > My understanding is that requests generate from XHR will have Origin > applied. This can be used to reject requests from 3rd party websites > within browsers. Therefore, intranets have the potential to restrict > access from internal user browsing habits. They have the potential, but existing networks don't do that. We need to protect legacy systems that don't understand the Origin header. >>> Also, what about the point that this is unethically pushing the costs >>> of securing private resources onto public access providers? >> >> It is far more unethical to expose a user's private data. > > Yes, but if no user private data is being exposed then there is cost > being paid for no benefit. I think it's difficult to discuss ethics without agreeing on an ethical theory. Let's stick to technical, rather than ethical, discussions. Adam
Received on Friday, 20 July 2012 07:30:55 UTC