Jon -- A big concern from our point of view (note: some mental gemnastics
may be involved in following this) is that a site accessed from another
"trusted" site via cross-origin credentials, may serve sensitive data to an
unprivileged user. That constitutes a data breach and as such, tends to
cause alarms to go off around here. Speaking as someone who just endured
over 2 months of bureaucratic wrangling to gain access to a "restricted"
dataset, if the work to get those data got worse because someone had made
this same set publicly accessible, even inadvertently, it would start
approaching "useless" within my organization.
Benno -- tell me you don't expect Microsoft to conform to a standard they
don't either own, or have claimed to own?
gerry
On Thu, Apr 25, 2013 at 9:46 AM, Jon Blower <j.d.blower@xxxxxxxxxxxxx>wrote:
> Hi all,
>
> An honest (and perhaps innocent) question - if a server is already public
> and read-only, what is there to lose by enabling CORS? The cross-origin
> security constraints exist for the security of the client (browser), not
> the server. You could after all be accessing the server through something
> that isn't a browser at all.
>
> However, if a server requires logins, and/or allows changes to the server
> to be made through the web interface, then CORS is perhaps more of an issue
> (most of the examples in the website Dennis quotes are around these use
> cases).
>
> >From that same website, the risk of allowing CORS for a public read-only
> site appears to be that an attacker could use users' web browsers to
> perform a distributed denial-of-service attack, which is surely already
> possible anyway (and is why many sysadmins implement throttling or some
> other strategy).
>
> Cheers,
> Jon
> (not a security expert or a sysadmin!)
>
> _______________________________________________
> thredds mailing list
> thredds@xxxxxxxxxxxxxxxx
> For list information or to unsubscribe, visit:
> http://www.unidata.ucar.edu/mailing_lists/
>
--
Gerry Creager
NSSL/CIMMS
405.325.6371
++++++++++++++++++++++
“Big whorls have little whorls,
That feed on their velocity;
And little whorls have lesser whorls,
And so on to viscosity.”
Lewis Fry Richardson (1881-1953)