Ian Hickson wrote: > If you are faced with a hostile client, then Access-Control > is irrelevant. > A hostile client can already do cross-site third party requests.
But can the hostile client convincingly blame another site for the request? That's the new part. A hostile client can send a request that looks like it was sent by an honest client and is the fault of the Referer-Root site. You can't stop thinking at the point that the request is accepted. You have to also consider how the site which accepts the request assigns accountability. --Tyler
