W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2017

Re: CORS

From: Jake Archibald <jakearchibald@google.com>
Date: Wed, 11 Oct 2017 07:41:28 +0000
Message-ID: <CAPy=JopqK=Q5ZCSyoCbeZQgdCL154hfDq1PY+KmzF5eoVD_yMQ@mail.gmail.com>
To: "Jack (Zhan, Hua Ping)" <jackiszhp@gmail.com>
Cc: "Tab Atkins Jr." <jackalmage@gmail.com>, "public-webapps@w3.org" <public-webapps@w3.org>
On Wed, 11 Oct 2017, 01:02 Jack (Zhan, Hua Ping),<jackiszhp@gmail.com>
wrote:

> Be aware that I do not serve his a.html GOOG ticker data with the CORS
> header. And the ticker data I will serve him is "{}".  If I serve him
> with a piece of JS: var objname={}. Then his a.html can always get the
> data as needed with a script element.


Some resources can be fetched without CORS (the spec calls these no-cors
requests), and some APIs can consume them under certain conditions, such as
img, media, CSS and script.

In many ways, this was a mistake, and they're a vector in a lot of privacy
attacks. Eg https://goo.gl/UPV32Q (pdf) which resulted in restrictions
being applied to CSS.

Although, it's worth noting that when site A executes a script from site B,
it is giving site B full control over the page and storage on its origin.
Received on Wednesday, 11 October 2017 07:42:02 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 9 November 2017 09:59:04 UTC