- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 18 Jul 2012 03:47:21 +0000 (UTC)
- To: Henry Story <henry.story@bblfish.net>
- cc: public-webapps public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
On Wed, 18 Jul 2012, Henry Story wrote: > > So my argument is that this restriction could be lifted since > > 1. GET is indempotent - and should not affect the resource fetched > > 2. If there is no authentication, then the JS Agent could make the > request via a CORS praxy of its choosing, and so get the content of the > resource anyhow. No, such a proxy can't get to intranet pages. "Authentication" on the Internet can include many things, e.g. IP addresses or mere connectivity, that are not actually included in the body of an HTTP GET request. It's more than just cookies and HTTP auth headers. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 18 July 2012 03:47:45 UTC