W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS explained simply

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 20 Feb 2015 08:14:46 +0100
Message-ID: <CADnb78gn2M9EDAf_biL-hfO5_iRYb4nes2OuBffuSvjZCVV3Hg@mail.gmail.com>
To: "henry.story@bblfish.net" <henry.story@bblfish.net>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Feb 19, 2015 at 11:17 PM, henry.story@bblfish.net
<henry.story@bblfish.net> wrote:
> 1) requests that do not require authentication
>   q1: why is the origin sent at all? And why are there still restictions?
>   q2: why does POSTing a url encoded form not require pre-flight? But why does POSTing other data do?
> 2) On requests that do need authentication:
>   q3: Why are the pre-flight requests needed at all?

Authentication is not the important bit.

The important bits are 1) protecting content behind a firewall and 2)
fetches possible without CORS.

> But why can't it be the client? After all the user could
> decide to give more rights to some JS apps than to others, and that would work too.

No, nobody thus far has presented credible UX for that.

> I am not saying that these questions don't have answers. It is just that they
> would help a developer understand why CORS has taken the shape it has, and so
> understanding the reaons for the decisions taken, better be able to think about it.

https://fetch.spec.whatwg.org/#basic-safe-cors-protocol-setup has some
of it. I guess I could add a background section with the bits above
more explicitly, it's just that they follow naturally from the
same-origin policy...

Received on Friday, 20 February 2015 07:15:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC