Re: Why the restriction on unauthenticated GET in CORS?

On 20 Jul 2012, at 21:02, Tab Atkins Jr. wrote:

> On Fri, Jul 20, 2012 at 11:58 AM, Henry Story <> wrote:
>> Of course, but you seem to want to support hidden legacy systems, that is systems none of us know about or can see. It is still a worth while inquiry to find out how many systems there are for which this is a problem, if any. That is:
>>  a) systems that use non standard internal ip addresses
>>  b) systems that use ip-address provenance for access control
>>  c) ? potentially other issues that we have not covered
>> Systems with a) are going to be very rare it seems to me, and the question would be whether they can't really move over to standard internal ip addresses. Perhaps IPV6 makes that easy.
>> It is not clear that anyone should bother with designs such as b) - that's bad practice anyway I would guess.
> We know that systems which base their security at least in part on
> network topology (are you on a computer inside the DMZ?) are common
> (because it's easy).

How many of those would use ip addresses that are not standard private ip addresses?
( Because if they do, then they would not be affected ).
Of those that do not, would IPV6 offer them a scheme where they could easily use standard private ip addresses? 

> ~TJ

Social Web Architect

Received on Friday, 20 July 2012 19:54:32 UTC