- From: Henry Story <henry.story@bblfish.net>
- Date: Wed, 18 Jul 2012 05:57:13 +0200
- To: Ian Hickson <ian@hixie.ch>
- Cc: public-webapps public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
On 18 Jul 2012, at 05:47, Ian Hickson wrote: > On Wed, 18 Jul 2012, Henry Story wrote: >> >> So my argument is that this restriction could be lifted since >> >> 1. GET is indempotent - and should not affect the resource fetched >> >> 2. If there is no authentication, then the JS Agent could make the >> request via a CORS praxy of its choosing, and so get the content of the >> resource anyhow. > > No, such a proxy can't get to intranet pages. > > "Authentication" on the Internet can include many things, e.g. IP > addresses or mere connectivity, that are not actually included in the body > of an HTTP GET request. It's more than just cookies and HTTP auth headers. Ah yes, quite right. Tricky space... Perhaps my question can be useful in your CORS design-decisions-faq . Thanks, Henry > > -- > Ian Hickson U+1047E )\._.,--....,'``. fL > http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. > Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.' Social Web Architect http://bblfish.net/
Received on Wednesday, 18 July 2012 03:57:49 UTC