On 12/1/11 3:48 PM, Jonas Sicking wrote:
On Thu, Dec 1, 2011 at 1:51 PM, Charles Pritchard<ch...@jumis.com> wrote:
There are serious security implications for enabling CORS, even with
session-less requests.
It's going to be a very long opt-in process for file sharing services.
This is a very strong statement backed up by absolutely no information
or data at all. Not very convincing.
Please clarify what you are referring to.
Direct and anonymous read access is a very new thing.
At it's most basic: UAs have always required a server, somewhere, to
proxy anonymous requests. With direct access, items like IP-based
security and auditing are not as reliable. It'd be very easy to do
screen scraping on sites that don't particular want scraping to be done.
While it's easy now, it has to be done from the server-side. When hosts
open up their servers, they're allowing it to be done client-side.
For my interests, I very much want <img crossorigin=anonymous> to work
everywhere.
Yehuda is simply asking for a change to the text, describing the
implications of enabling CORS... That's fine.
I'll comment on it when I see the text.
-Charles
