On Wed, 17 Jun 2009, Tyler Close wrote: > >> > >> We should make sure CORS is not being unduly conservative. > > > > When we're talking about security, I don't think being unduly > > conservative is a bad thing at all. > > So turn off your computer then. ;) "unduly" is always undue.
Er, my bad. I mean, I don't think that CORS is being unduly conservative. I think being very conservative when it comes to security is no bad thing. > Huh. So, how should we proceed? Should we drop this proposal on the > hypothesis that there might exist resources that require the more > conservative approach taken by CORS? Regardless of the costs this > imposes? I don't think we need to worry about the intranet case given the public IP-based authentication case which is also broken by this proposal. > > I've never worked for a company that didn't give me root on my > > network-attached machines and let me configure them however I wanted. > > That's fine, but presumably these companies also provide some setup > assistance to you. Does Google IT have any way to put configuration > settings in your browser? For example, do you install packages from a > Google provided repository? I've heard Google uses something called > Goobuntu, or some such. Do you install your own machines, or does Google > do that for you? I don't want to comment on Google's internal practices. In general I have never worked for a company where there haven't been computers that are totally independent of any central management. I don't think relying on central management is going to work. Even on things like my home intranet I have had IP-based authentication CGI scripts with the characteristics you describe, and I don't have a central IT management plan at home, I assure you. :-) > I think we should also look for more details here. These systems that > are using the client IP address for authentication, is the client > computer an end user computer with a browser installed on it? If the server is a SOAP server, then no. But I don't see how that matters. The problem isn't what the regular client is, the problem is what happens when a Web browser is the client and sends requests to the server. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'