W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

CORS explained simply

From: <henry.story@bblfish.net>
Date: Thu, 19 Feb 2015 23:17:10 +0100
Message-Id: <163C3618-00C6-417A-A5A2-6D39A4B8B9B3@bblfish.net>
To: WebAppSec WG <public-webappsec@w3.org>

 I find that understanding CORS is a really not easy.
It seems that what is missing is an general overview document,
that would start by explaining why the simplest possible method
won't work, in order to help the user understand then why more
complex method are needed.

For example the first thing one should start by explaining is for

1) requests that do not require authentication
  q1: why is the origin sent at all? And why are there still restictions?
  q2: why does POSTing a url encoded form not require pre-flight? But why does POSTing other data do?

2) On requests that do need authentication:
  q3: Why are the pre-flight requests needed at all?

I know that the answer to q1 is that some servers have access control methods
based on ip address of the client. But it is worth stating clearly the requirement
in the specs so that this can be understood.

There is also the question as to why the server needs to make a decision as to
what the client can see. But why can't it be the client? After all the user could
decide to give more rights to some JS apps than to others, and that would work too.

I am not saying that these questions don't have answers. It is just that they
would help a developer understand why CORS has taken the shape it has, and so
understanding the reaons for the decisions taken, better be able to think about it.


Social Web Architect

Social Web Architect
Received on Thursday, 19 February 2015 22:17:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC