On Sat, 10 Oct 2009 01:36:50 +0200, Mark S. Miller <[email protected]>
wrote:
The last of the links above should make the application to CORS
concrete. See also the dismissive replies which followed in that
thread. If you find these dismissals plausible, please imagine back to
the world in which CSRF was first diagnosed (second bullet above) as
ask if CSRFs would have also seemed merely theoretical back then? In
both cases, the answer "well don't do that" seems to make sense on
first analysis for the same reasons.
The concern seems to be mostly about CORS being an access control system.
I'm not entirely sure that is justified (though the headers are indeed
confusingly named, mea culpa). All CORS does is allowing cross-origin
resources to communicate with each other. What actions follow from
requests should in general not follow from (just) the origin were the
request originated. That would allow all kinds of trouble.
Then again, I think this was explained before as well, so I kind of have
the feeling we are going around in circles.
--
Anne van Kesteren
http://annevankesteren.nl/
