[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Adam Barth
cap-talk at adambarth.com
Tue Jul 7 03:33:54 EDT 2009
On Mon, Jul 6, 2009 at 2:53 PM, Karp, Alan H<alan.karp at hp.com> wrote:
> Adam Barth wrote:
>>
>> Unless you can whistle to your modem, users don't make requests.
>> Software makes requests (perhaps on behalf of users, but perhaps not).
>>
> Point taken.
>>
>> The service lets Acme Finance contact Google Finance directly from the
>> user's browser (i.e., without proxying via acme.com). This is
>> valuable to Acme.
>>
> Now I get it. Bob's Finance could get the same data from Google Finance without paying by making a direct request with an Origin of amce.com, but Bob's Finance would have to proxy requests. Acme Finance gains a competitive advantage by not needing to proxy. The user has no interest in running a specialized browser to pretend to be Acme Finance because Acme Finance provides some added value.
Yes. Precisely.
> To your first point above, can the software making the request be a script on a page or a browser plug-in? If so, what prevents Bob's Finance from delivering to the user's browser software that will make requests as Acme Finance?
The browser's security policy prevents this. If you can build a demo
web site that forges the Origin header to finance.google.com in
Firefox 3.5, you should file a security bug, and Mozilla will issue a
patch to their users.
Adam
More information about the cap-talk
mailing list