On Thu, Jul 19, 2012 at 2:54 PM, Anne van Kesteren <ann...@annevk.nl> wrote: > On Thu, Jul 19, 2012 at 2:43 PM, Henry Story <henry.st...@bblfish.net> wrote: >> If a mechanism can be found to apply restrictions for private IP ranges then >> that >> should be used in preference to forcing the rest of the web to implement CORS >> restrictions on public data. And indeed the firewall servers use private ip >> ranges, >> which do in fact make a good distinguisher for public and non public space. > > It's not just private servers (there's no guarantee those only use > private IP ranges either). It's also IP-based authentication to > private resources as e.g. W3C has used for some time. > >
Isn't this mitigated by the Origin header? Also, what about the point that this is unethically pushing the costs of securing private resources onto public access providers? Thanks, Cameron Jones