- From: Jack (Zhan, Hua Ping) <jackiszhp@gmail.com>
- Date: Wed, 11 Oct 2017 05:54:40 +0800
- To: Florian Bösch <pyalot@gmail.com>, "public-webapps@w3.org" <public-webapps@w3.org>
#1, really appreciate your discussion. #2. I know "just add this to your apache config: Header set Access-Control-Allow-Origin "*"" #3. Most of what your wrote, I agree. Only a few sentences I do not agree. Since my purpose is not to make each of your sentences perfect right, and even if I do that we might go nowhere, so let me use a specific example to ask a question: As for Travis's example, should a browser allow http://evil.com/a.html to access https://bankA.com/somedata? Be noted #1. somedata is not any data, let me be more specific, the data is the ticker info of MSFT and this kind of data does not require user authentication. (It seems that you are in trade business). #2. web browser is just a UI (your UA), as web OS, so browser should not restrict a program here a.html to do whatever the user wants to do. It is the user who loads http://evil.com/a.html. #3. As I know there is no browser prevents a.html to load https://bankA.com/somejavascriptcode. #4. In this example, what we care is the security of a.html not the bank. Jack
Received on Tuesday, 10 October 2017 21:55:08 UTC