On 18 Jul 2012, at 05:47, Ian Hickson wrote:
> On Wed, 18 Jul 2012, Henry Story wrote:
>>
>> So my argument is that this restriction could be lifted since
>>
>> 1. GET is indempotent - and should not affect the resource fetched
>>
>> 2. If there is no authentication, then the JS Agent could make the
>> request via a CORS praxy of its choosing, and so get the content of the
>> resource anyhow.
>
> No, such a proxy can't get to intranet pages.
>
> "Authentication" on the Internet can include many things, e.g. IP
> addresses or mere connectivity, that are not actually included in the body
> of an HTTP GET request. It's more than just cookies and HTTP auth headers.
Ah yes, quite right. Tricky space...
Perhaps my question can be useful in your CORS design-decisions-faq .
Thanks,
Henry
>
> --
> Ian Hickson U+1047E )\._.,--....,'``. fL
> http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
> Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Social Web Architect
http://bblfish.net/
