Re: Why the restriction on unauthenticated GET in CORS?

On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones <cmhjones@gmail.com> wrote:
>> Isn't this mitigated by the Origin header?
>
> No.
>
>

Could you expand on this response, please?

My understanding is that requests generate from XHR will have Origin
applied. This can be used to reject requests from 3rd party websites
within browsers. Therefore, intranets have the potential to restrict
access from internal user browsing habits.


>> Also, what about the point that this is unethically pushing the costs
>> of securing private resources onto public access providers?
>
> It is far more unethical to expose a user's private data.
>
>

Yes, but if no user private data is being exposed then there is cost
being paid for no benefit.

> --
> http://annevankesteren.nl/

Thanks,
Cameron Jones

Received on Thursday, 19 July 2012 14:50:29 UTC