[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Adam Barth
cap-talk at adambarth.com
Fri Jun 26 14:03:21 EDT 2009
On Fri, Jun 26, 2009 at 10:46 AM, Ben Laurie<benl at google.com> wrote:
> On Fri, Jun 26, 2009 at 6:02 PM, Adam Barth<cap-talk at adambarth.com> wrote:
>> On Fri, Jun 26, 2009 at 9:10 AM, Toby Murray<toby.murray at comlab.ox.ac.uk> wrote:
>>> Hold on a sec. You've already said that Bob's Finance can simply act as
>>> a browser and visit acme to achieve the same end. Similarly, I can't see
>>> why Bob's finance can't just send a request to Google with an "Origin:
>>> finance.acme.com". So with Origin:, Bob can still get and display Google
>>> finance data on his site.
>>
>> It's important to distinguish Bob's server-side code from his
>> client-side code. The code on the client can't forge the Origin
>> header.
>
> It can with the user's (or his machine's) cooperation.
Sure, but with we're discussing how browsers should behave. If the
user changes the behavior of the browser, then it doesn't matter what
the spec says.
Adam
More information about the cap-talk
mailing list