On 18 Jul 2012, at 05:47, Ian Hickson wrote: > On Wed, 18 Jul 2012, Henry Story wrote: >> >> So my argument is that this restriction could be lifted since >> >> 1. GET is indempotent - and should not affect the resource fetched >> >> 2. If there is no authentication, then the JS Agent could make the >> request via a CORS praxy of its choosing, and so get the content of the >> resource anyhow. > > No, such a proxy can't get to intranet pages. > > "Authentication" on the Internet can include many things, e.g. IP > addresses or mere connectivity, that are not actually included in the body > of an HTTP GET request. It's more than just cookies and HTTP auth headers.
Ah yes, quite right. Tricky space... Perhaps my question can be useful in your CORS design-decisions-faq . Thanks, Henry > > -- > Ian Hickson U+1047E )\._.,--....,'``. fL > http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. > Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.' Social Web Architect http://bblfish.net/