W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2017

Re: CORS

From: Jack (Zhan, Hua Ping) <jackiszhp@gmail.com>
Date: Wed, 11 Oct 2017 05:54:40 +0800
Message-ID: <CAKRyGxvPNEUn-Ddyc2N_r3AYPYRy-6+hK3q_Cwu=OQ2+k4x6pA@mail.gmail.com>
To: Florian Bösch <pyalot@gmail.com>, "public-webapps@w3.org" <public-webapps@w3.org>
#1, really appreciate your discussion.
#2. I know "just add this to your apache config: Header set
Access-Control-Allow-Origin "*""
#3. Most of what your wrote, I agree. Only a few sentences I do not
agree. Since my purpose is not to make each of your sentences perfect
right, and even if I do that we might go nowhere, so let me use a
specific example to ask a question:

As for Travis's example, should a browser allow http://evil.com/a.html
to access https://bankA.com/somedata?
Be noted
#1. somedata is not any data, let me be more specific, the data is the
ticker info of MSFT and this kind of data does not require user
authentication. (It seems that you are in trade business).
#2. web browser is just a UI (your UA), as web OS, so browser should
not restrict a program here a.html to do whatever the user wants to
do. It is the user who loads http://evil.com/a.html.
#3. As I know there is no browser prevents a.html to load
https://bankA.com/somejavascriptcode.
#4. In this example, what we care is the security of a.html not the bank.


Jack
Received on Tuesday, 10 October 2017 21:55:08 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 9 November 2017 09:59:04 UTC