[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Adam Barth
cap-talk at adambarth.com
Tue Jul 7 11:59:35 EDT 2009
On Tue, Jul 7, 2009 at 5:26 AM, Dave Chizmadia -
Gmail<davechiz at gmail.com> wrote:
> Adam,
>
>> If I understand this proposal correctly, this requires the browser to
>> contact Acme.com for each request it wants to send to
>> finance.google.com. That kind of defeats the point of talking to
>> finance.google.com directly from the browser.
>
> You don't understand the proposal correctly, but that
> may be because of my unstated assumption that the actual
> accesses to finance.google.com are being generated by
> Javascript code in the form of the stockTicker widget.
How does the stock ticker widget generate these requests to
finance.google.com? How does finance.google.com know to accept the
requests?
> Since the unique library instance was requested by Acme,
> all use of that instance is charged to Acme.
Why do you assume finance.google.com wants to charge Acme per request?
I don't think we want to lock in that business model. For example,
Acme might pay a monthly subscription fee for all-you-can-eat stock
ticker data, or might only need to sign a terms of service to use the
service (i.e., not be required to pay Google at all).
> To provide a
> slight additional level of protection, finance.google could
> introduce a policy to only repond to calls on the unique
> library instance URLs from a single IP address.
Surely we don't want to base the future of web security on IP
authentication. That's a serious layer violation.
Adam
More information about the cap-talk
mailing list