W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: Why the restriction on unauthenticated GET in CORS?

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 20 Jul 2012 00:29:48 -0700
Message-ID: <CAJE5ia-5UzyUPkZCRc1+xFZPWrzNpAO4P8=44oLGfRsZG5xfzA@mail.gmail.com>
To: Cameron Jones <cmhjones@gmail.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Henry Story <henry.story@bblfish.net>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
On Thu, Jul 19, 2012 at 7:50 AM, Cameron Jones <cmhjones@gmail.com> wrote:
> On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones <cmhjones@gmail.com> wrote:
>>> Isn't this mitigated by the Origin header?
>> No.
> Could you expand on this response, please?
> My understanding is that requests generate from XHR will have Origin
> applied. This can be used to reject requests from 3rd party websites
> within browsers. Therefore, intranets have the potential to restrict
> access from internal user browsing habits.

They have the potential, but existing networks don't do that.  We need
to protect legacy systems that don't understand the Origin header.

>>> Also, what about the point that this is unethically pushing the costs
>>> of securing private resources onto public access providers?
>> It is far more unethical to expose a user's private data.
> Yes, but if no user private data is being exposed then there is cost
> being paid for no benefit.

I think it's difficult to discuss ethics without agreeing on an
ethical theory.  Let's stick to technical, rather than ethical,

Received on Friday, 20 July 2012 07:30:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:28 UTC