Re: Why the restriction on unauthenticated GET in CORS?

On Thu, Jul 19, 2012 at 2:54 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Thu, Jul 19, 2012 at 2:43 PM, Henry Story <henry.story@bblfish.net> wrote:
>> If a mechanism can be found to apply restrictions for private IP ranges then that
>> should be used in preference to forcing the rest of the web to implement CORS
>> restrictions on public data. And indeed the firewall servers use private ip ranges,
>> which do in fact make a good distinguisher for public and non public space.
>
> It's not just private servers (there's no guarantee those only use
> private IP ranges either). It's also IP-based authentication to
> private resources as e.g. W3C has used for some time.
>
>

Isn't this mitigated by the Origin header?

Also, what about the point that this is unethically pushing the costs
of securing private resources onto public access providers?

Thanks,
Cameron Jones

Received on Thursday, 19 July 2012 14:10:47 UTC