Re: CORS from Florian Bösch on 2017-10-11 (public-webapps@w3.org from October to December 2017)

From: Florian Bösch <pyalot@gmail.com>
Date: Thu, 12 Oct 2017 00:26:08 +0200
To: "Jack (Zhan, Hua Ping)" <jackiszhp@gmail.com>
Cc: "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <CAOK8ODh6ub+VJfHf3CEbSZEFuGO+2Oo6tF084_3EWO7tHFCAWA@mail.gmail.com>

On Thu, Oct 12, 2017 at 12:00 AM, Jack (Zhan, Hua Ping) <jackiszhp@gmail.com
> wrote:
>
> But in one sentence: I do not need the browser to do the authorization
> check for me, I do the authorization check myself at server
> https://bankA.com/.
>

Effectively you want to get rid of the same-origin policy. This isn't going
to happen because everybody else relies on it working. CORS exists because
the same-origin policy exists. And the same-origin policy exists to avoid
exposing side effects and data to third parties for data requests which
where introduced to the web at a later stage when there was already a large
volume of existing sites which couldn't all be changed.

In essence it seems you're not happy with how history went, and you'd like
the entire world to change all at once so that you can avoid adding a
perfectly functional http header...

Received on Wednesday, 11 October 2017 22:26:31 UTC