[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Adam Barth
cap-talk at adambarth.com
Mon Jul 6 13:51:56 EDT 2009
On Mon, Jul 6, 2009 at 10:26 AM, Rob Meijer<capibara at xs4all.nl> wrote:
> On Mon, July 6, 2009 07:54, Adam Barth wrote:
>>> I can't imagine Acme Finance would be happy about paying for a service
>>> with such a flaw. Maybe the problem is that I don't understand how the
>>> Origin header gets used.
>>
>> The service lets Acme Finance contact Google Finance directly from the
>> user's browser (i.e., without proxying via acme.com). This is
>> valuable to Acme.
>
> Wouldn't it be much simpler for this scenario if Google Finance would
> provide an API with what Acme Finance could create and manage proxies at
> google.com to delegate to individual users?
How would this work without leaking Acme Finance cookies / passwords
to Google? In other words, how could we secure such a system against
a malicious data provider?
Adam
More information about the cap-talk
mailing list