Re: Why the restriction on unauthenticated GET in CORS?

On Fri, Jul 20, 2012 at 11:58 AM, Henry Story <henry.story@bblfish.net> wrote:
> Of course, but you seem to want to support hidden legacy systems, that is systems none of us know about or can see. It is still a worth while inquiry to find out how many systems there are for which this is a problem, if any. That is:
>
>   a) systems that use non standard internal ip addresses
>   b) systems that use ip-address provenance for access control
>   c) ? potentially other issues that we have not covered
>
> Systems with a) are going to be very rare it seems to me, and the question would be whether they can't really move over to standard internal ip addresses. Perhaps IPV6 makes that easy.
>
> It is not clear that anyone should bother with designs such as b) - that's bad practice anyway I would guess.

We know that systems which base their security at least in part on
network topology (are you on a computer inside the DMZ?) are common
(because it's easy).

~TJ

Received on Friday, 20 July 2012 19:03:42 UTC