Re: CORS explained simply

On 2/19/15 4:28 PM, henry.story@bblfish.net wrote:
> Hi,
>
>    I find that understanding CORS is a really not easy.
> It seems that what is missing is an general overview document,
> that would start by explaining why the simplest possible method
> won't work, in order to help the user understand then why more
> complex method are needed.
>
> For example the first thing one should start by explaining is for
>
>   1) requests that do not require authentication
>     q1: why is the origin sent at all? And why are there still restictions?
>     q2: why does POSTing a url encoded form not require pre-flight? But why does POSTing other data do?
>
>   2) On requests that do need authentication:
>     q3: Why are the pre-flight requests needed at all?
>
> I know that the answer to q1 is that some servers have access control methods
> based on ip address of the client. But it is worth stating clearly the requirement
> in the specs so that this can be understood.
>
> There is also the question as to why the server needs to make a decision as to
> what the client can see. But why can't it be the client? After all the user could
> decide to give more rights to some JS apps than to others, and that would work too.
>
> I am not saying that these questions don't have answers. It is just that they
> would help a developer understand why CORS has taken the shape it has, and so
> understanding the reaons for the decisions taken, better be able to think about it.

Hi Henry,

I agree this type of info would be useful so a long time ago I started 
to bookmark related resources (f.ex. see [1]) but stopped as CORS became 
deployed and sites like enable-cors.org emerged. Maciej's deck [2] is 
still a real nice overview.

(BTW, public-webappsec might be a good place to send your e-mail.)

-Thanks, AB

[1] https://delicious.com/afbarstow/CORS
[2] 
https://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0468/CORS.pdf

Received on Thursday, 19 February 2015 22:12:21 UTC