- From: Cameron Jones <cmhjones@gmail.com>
- Date: Thu, 19 Jul 2012 15:10:16 +0100
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Henry Story <henry.story@bblfish.net>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
On Thu, Jul 19, 2012 at 2:54 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Thu, Jul 19, 2012 at 2:43 PM, Henry Story <henry.story@bblfish.net> wrote: >> If a mechanism can be found to apply restrictions for private IP ranges then that >> should be used in preference to forcing the rest of the web to implement CORS >> restrictions on public data. And indeed the firewall servers use private ip ranges, >> which do in fact make a good distinguisher for public and non public space. > > It's not just private servers (there's no guarantee those only use > private IP ranges either). It's also IP-based authentication to > private resources as e.g. W3C has used for some time. > > Isn't this mitigated by the Origin header? Also, what about the point that this is unethically pushing the costs of securing private resources onto public access providers? Thanks, Cameron Jones
Received on Thursday, 19 July 2012 14:10:47 UTC