CORS Questions

Nathan Mon, 10 May 2010 15:44:05 -0700

Hi All,

A couple of questions about CORS.



1: Why is CORS an opt-out setup instead of an opt-in?

eg why are all my resource hidden to js by default rather than exposed,then allowing me to limit access to specific resources at my discretion.



2: Why does CORS prevent this:

function doNastyStuff() {
        new client = new XMLHttpRequest();
        client.open("GET", "intranet.corp.example/sensitive.json");
}

but allow this:

function doNastyStuff() {
        var script = document.createElement("script");
        script.src = 'intranet.corp.example/sensitive.json';
        document.body.appendChild(script);
}


Best,

Nathan

CORS Questions

Reply via email to