- From: Jack (Zhan, Hua Ping) <jackiszhp@gmail.com>
- Date: Wed, 11 Oct 2017 06:58:27 +0800
- To: "public-webapps@w3.org" <public-webapps@w3.org>
>> As for Travis's example, should a browser allow http://evil.com/a.html >> to access https://bankA.com/somedata? On Wed, Oct 11, 2017 at 6:12 AM, Florian Bösch <pyalot@gmail.com> wrote: > You don't control evil.com, you control bankA.com. You don't want evil.com > access bankA.com/mybalance with a data request because it is private > information. evil.com could XHR get bankA.com/mybalance and then XHR post it > to evil.com/save. The same origin policy that restricts data requests to the > same origin solves that problem. But it creates a new problem, how does > somesite.com offer resources to use by othersite.com, such as, for instance, > twitter. The answer is for somesite.com to offer a permission on a resource, > that's what CORS is. evil.com does not control the users computer or UA. If > the user chooses to use a browser that does not implement the same-origin > policy, that's his choice, it's not a smart choice, because then this > bankA.com/mybalance will end up on evil.com/save. That's exactly what I said "you guys messed up your purpose". If I am wrong, please enlight me a little bit more. You are a web programmer, and your team are working on http://evil.com/a.html. Your task is to get the ticker data of MSFT from http://bankA.com/ticker/MSFT and show it to the user who loads a.html provided by you. Why the browser should deny a.html to load the ticker data? And I am working for the https://bankA.com/, it is my job to prevent you from access protected resources, while you are welcome to use public data such as MSFT's ticker data. It is not your job to make sure sensitive data on https://bankA.com/ is protected. By the way I deem CORS is stupid, so I will not serve you the header "Access-Control-Allow-Origin "*"". It is your browser stopped you from access the public available data from https://bankA.com/, not me. Since you did not ask how I prevent you from access confidential data on https://bankA.com/, I omit this. Jack (Zhan, Hua Ping詹华平)
Received on Tuesday, 10 October 2017 22:58:51 UTC