[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Adam Barth
cap-talk at adambarth.com
Mon Jul 6 13:22:26 EDT 2009
On Mon, Jul 6, 2009 at 3:37 AM, Ben Laurie<benl at google.com> wrote:
> With a plugin, or a custom browser.
Can you set up a demo site with a proof of concept that works in my browser?
> But I think Alan's point was that the user could forge the header.
User's don't send HTTP requests. Software sends HTTP requests.
The main point you seem to be missing is that CORS only bridges
security restrictions imposed by the browser. A user with a custom
browser can already do all the things that CORS could possibly allow.
> And neither Google nor Acme Finance care if users forge the header and
> thus get access themselves?
Please read the statement of the problem for the answer to this question.
Adam
More information about the cap-talk
mailing list