W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2017


From: Jack (Zhan, Hua Ping) <jackiszhp@gmail.com>
Date: Wed, 11 Oct 2017 06:58:27 +0800
Message-ID: <CAKRyGxsQ9sRZjaQ7zdZ4RaAnhZErB68thqWKyn66Gr2cSrSrew@mail.gmail.com>
To: "public-webapps@w3.org" <public-webapps@w3.org>
>> As for Travis's example, should a browser allow http://evil.com/a.html
>> to access https://bankA.com/somedata?

On Wed, Oct 11, 2017 at 6:12 AM, Florian Bösch <pyalot@gmail.com> wrote:
> You don't control evil.com, you control bankA.com. You don't want evil.com
> access bankA.com/mybalance with a data request because it is private
> information. evil.com could XHR get bankA.com/mybalance and then XHR post it
> to evil.com/save. The same origin policy that restricts data requests to the
> same origin solves that problem. But it creates a new problem, how does
> somesite.com offer resources to use by othersite.com, such as, for instance,
> twitter. The answer is for somesite.com to offer a permission on a resource,
> that's what CORS is. evil.com does not control the users computer or UA. If
> the user chooses to use a browser that does not implement the same-origin
> policy, that's his choice, it's not a smart choice, because then this
> bankA.com/mybalance will end up on evil.com/save.

That's exactly what I said "you guys messed up your purpose". If I am
wrong, please enlight me a little bit more.

You are a web programmer, and your team are working on
http://evil.com/a.html. Your task is to get the ticker data of MSFT
from http://bankA.com/ticker/MSFT and show it to the user who loads
a.html provided by you. Why the browser should deny a.html to load the
ticker data?

And I am working for the https://bankA.com/, it is my job to prevent
you from access protected resources, while you are welcome to use
public data such as MSFT's ticker data. It is not your job to make
sure sensitive data on https://bankA.com/ is protected. By the way I
deem CORS is stupid, so I will not serve you the header
"Access-Control-Allow-Origin "*"". It is your browser stopped you from
access the public available data from https://bankA.com/, not me.
Since you did not ask how I prevent you from access confidential data
on https://bankA.com/, I omit this.

Jack (Zhan, Hua Ping詹华平)
Received on Tuesday, 10 October 2017 22:58:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:15:08 UTC