I have recently read through:
https://developer.mozilla.org/En/HTTP_access_control
https://wiki.mozilla.org/Security/Origin
I've discussed what I've read and learned with my coworkers and there's
been some confusion. I understand and appreciate the need for a
security policy that allows for cross-site https requests. I do not
understand how Access-Control-Allow-Origin addresses usability and
security concerns.
The basis of our confusion:
I create domain-a.com and I want to make an ajax request to
domain-b.com. A preflight request is made to domain-b, domain-b
responds with if it is safe to send the request.
Does it not make more sense for me (the author of domain-a) to define
the security policy of my website? I know each and every request that
should be made on my site and can define a list of all acceptable
content sources. If the preflight request is made to domain-a (not
domain-b) then the content author is the source of authority.
A more functional example (and the source of my curiosity), I work for
the University of Central Florida. I am currently working on a
subdomain that wants to pull from the main .edu TLD. The university has
yet to define an Access-Control header policy, so my subdomain is unable
to read what's available on the main .edu website.
Additionally, if I am working with authorized content, it would be
useful for me to define/limit where cross-site requests can be made. It
seems backwards that an external source can define a security policy
that effects the usability of my content.
I sincerely appreciate any time you can give explaining the policy.
Thank you for all the great work that's been done.
Sincerely,
Douglas Beck
--
Douglas Beck
Web Communications | 407.823.1699
